Site Reliability

Configure cross-region backup copy

Backups in the same region as the workload won't help when the region goes down. Add a cross-region copy rule before disaster forces the conversation.

15 min·10 sections·AWS

Last reviewed 27 May 2026

Cross-region backup copy: the basics

What does it mean to copy a backup across regions?

AWS Backup organises protection around a Backup Plan: a set of rules that snapshot the resources you tag or assign, on a schedule, into a Backup Vault. By default, that vault lives in the same region as the workload — eu-west-2 backups land in an eu-west-2 vault, us-east-1 backups land in a us-east-1 vault. A region-local copy is fine for the usual disaster: accidental delete, bad deploy, ransomware, a single AZ failure. It is useless for the disaster that empties the entire region.

A cross-region Copy Action attaches to a plan rule and fires automatically once the primary backup completes. It pushes the recovery point to a vault in a second region you nominate — eu-west-1, us-west-2, ap-southeast-2, wherever. From that moment on you have an independent, restorable copy outside the failure domain of the source region. If eu-west-2 goes dark, you can restore the workload into eu-west-1 from the copied recovery point.

The continuity check BKP-004 ("Cross-Region Copy Not Configured") fires when AWS Backup hasn't observed any cross-region copy jobs in a region for the last 30 days. Severity is MEDIUM rather than HIGH because most teams survive a long time without exercising it — until they don't. It is the kind of finding that looks ignorable in a steady-state quarter and looks negligent in a post-mortem.

In this lesson you'll learn why single-region backup is a category-of-one risk most teams underestimate, how AWS Backup's Copy Action actually works under the hood, what it costs to add a destination region, and how to wire one into an existing Backup Plan without breaking anything. You'll also see why a cross-region copy you've never restored from is theatre, and how to schedule restore drills that prove the strategy.

Fun fact

us-east-1's habit of taking everything with it

us-east-1 is AWS's oldest, largest, and most-incident-prone region. The December 2021 outage took out a chunk of multi-AZ services for hours; the June 2023 Lambda event cascaded across multiple AZs simultaneously; the September 2015 DynamoDB event took down half the internet's east coast. "Multi-AZ" doesn't always mean "multi-failure-domain" inside one region — control planes are shared. If your only backup is in the same region as the workload, your RPO during a region event is whatever you can recover from S3 Glacier on a different continent, in days, not minutes.

Cross-region copy in action

Marco runs platform for a UK fintech. A continuity audit flags BKP-004 against their eu-west-2 production account: 12 backup plans, all snapshotting RDS, EBS, and DynamoDB on a nightly schedule, none of them copying anywhere outside London.

He pulls the last 30 days of copy jobs to confirm — and gets exactly what the check predicted: zero copies, anywhere. Every recovery point they have is sitting in the same region as the resources it was taken from.

He picks eu-west-1 (Ireland) as the destination — geographically near, GDPR-aligned, same data-residency story for customers — and starts the work to wire up a Copy Action on the highest-impact plan first.

First, confirm the blind spot — list any copy jobs from eu-west-2 in the last 30 days.

$ aws backup list-copy-jobs --region eu-west-2 --by-created-after $(date -u -d '30 days ago' +%FT%TZ) --query 'CopyJobs[*].{Resource:ResourceArn,Dest:DestinationBackupVaultArn,State:State}' --output table

-----------------------------------------

| ListCopyJobs |

+---------+---------+-----------+---------+

+---------+---------+-----------+---------+

# Empty response. Zero copy jobs in 30 days — every recovery point lives in eu-west-2 only.

No cross-region copy activity in the source region — exactly what BKP-004 detects.

Inspect the highest-impact backup plan to see what a Copy Action needs to slot into.

$ aws backup get-backup-plan --backup-plan-id 4f8c1d2b-7a3e-4f1c-9b5a-2d8e6f0a1c34 --query 'BackupPlan.Rules[0]'

{

"RuleName": "DailyRDS",

"TargetBackupVaultName": "prod-rds-vault",

"ScheduleExpression": "cron(0 2 * * ? *)",

"StartWindowMinutes": 60,

"CompletionWindowMinutes": 180,

"Lifecycle": { "DeleteAfterDays": 35 },

"CopyActions": []

}

# CopyActions is empty — recovery points never leave eu-west-2.

The plan rule that needs a CopyActions block pointing at an eu-west-1 vault.

How AWS Backup's Copy Action actually worksdeep dive

A Copy Action is not a separate workflow you trigger after the backup — it's a property of the plan rule itself. When the primary backup job for a rule reaches COMPLETED, AWS Backup synchronously kicks off a copy job for every entry in the rule's CopyActions array. Each entry names a DestinationBackupVaultArn (which encodes the destination region) and an independent Lifecycle for retention in the destination. The copy preserves the recovery-point metadata and tags, and the destination recovery point is restorable in its own right — you don't need the source region to be reachable.

Encryption is the part teams get wrong. The source vault and destination vault each use a KMS key in their own region; AWS KMS keys are region-scoped, and cross-region KMS keys don't exist. Backup re-encrypts the recovery point with the destination vault's KMS key as part of the copy, which means the destination key has to exist and have the right key policy before the first copy runs. If you reuse the same alias name in both regions ("alias/backup-key") your IaC stays clean and your operators don't get confused at 3am.

Cost-wise there are three line items: the copy operation itself (a per-GB charge), warm storage at the destination (priced like normal Backup storage), and — if you ever restore back to the source region — cross-region data transfer at standard EC2 inter-region rates. The rough planning number is 2x the source storage cost as a steady-state figure, plus a one-off transfer charge in a real DR event. That number isn't optional cost; it's what disaster-recovery costs to actually have.

# Inspect a copy job after it fires — see source/dest vault, state, and bytes copied.
aws backup describe-copy-job \
  --copy-job-id 8e3c5a7d-2f4b-4c8a-9d1e-6b3a7f9c2e51 \
  --region eu-west-2 \
  --query '{State:State,Source:SourceBackupVaultArn,Dest:DestinationBackupVaultArn,Bytes:BackupSizeInBytes}'

# Pre-create the destination KMS key in the destination region before any plan changes.
aws kms create-key \
  --region eu-west-1 \
  --description 'Backup vault encryption key' \
  --policy file://backup-key-policy.json

aws kms create-alias \
  --region eu-west-1 \
  --alias-name alias/backup-key \
  --target-key-id <key-id-from-previous-call>

What is the impact of single-region backups?

The headline impact is unrecoverable data loss in a region-wide event. AZ outages are common and survivable — multi-AZ RDS, EBS replication, and ASGs all handle them. Region-wide outages are rare but real, and they have happened in every major hyperscaler region at some point. If your only recovery points sit in the affected region, your RPO during such an event is whatever you have outside AWS (offline copies, customer-supplied data, manual re-entry) and your RTO is measured in days or weeks.

The second-order impact is contractual. SOC 2 CC7.5, ISO 27001 A.17, PCI DSS 12.10.1, and most enterprise MSAs include some form of geographic redundancy requirement. "Backups exist" doesn't satisfy those — the auditor will ask where the backups live and how the recovery would work if the primary region is gone. A nil cross-region copy posture is an audit finding waiting to land.

The third-order impact is operational confidence. Teams without cross-region copies tend to also not run restore drills, because there's nowhere meaningful to restore to. The result is a backup strategy nobody has ever tested end-to-end. Real DR events then become live experiments at the worst possible time — exactly when a confident, rehearsed playbook would be the difference between a four-hour recovery and a four-day one.

The financial impact is the bill for the copy itself — roughly 2x the storage cost of the source backups, plus the per-GB copy operation, plus data-transfer charges only if you actually restore back. For a 5TB monthly backup footprint that's a few hundred dollars a month, which is rounding error compared to the cost of a single hour of unplanned downtime for most production workloads.

How do you add cross-region copy safely?

Rolling out a cross-region copy is a four-step loop that mirrors any change to the backup posture: take stock, fix the plan, verify the copy lands and restores, and keep verifying on a cadence. Skipping the last step is the most common failure mode — copies that exist but have never been restored from are not a recovery strategy.

1. Inventory plans and pick the destination region

List every Backup Plan in the source region with aws backup list-backup-plans and rank them by the criticality of the resources they cover. Choose a destination region with deliberate care: the geographically-nearest AWS paired region keeps latency and data-sovereignty stories clean, but a different "fault domain" region (e.g. eu-west-2 → us-east-1) gives stronger isolation if you're worried about correlated continent-wide failures. Most teams pick the paired region for the first pass and only widen later.

2. Pre-create the destination vault and KMS key, then update the plan

Create the Backup Vault and KMS key in the destination region first — both with names and tags that match your IaC convention so the relationship is obvious from a console glance. Then call UpdateBackupPlan to add a CopyActions block to each rule, naming the destination vault ARN and the destination-side Lifecycle. Keep the source retention short (fast restore, low cost) and the destination retention longer (compliance and DR coverage).

3. Verify the first copy job lands, then restore from it

After the next scheduled run, use aws backup list-copy-jobs --region <source> to confirm the copy fired and reached COMPLETED. Then do the part most teams skip: actually restore the destination recovery point into the destination region (StartRestoreJob), point a test workload at it, prove it boots, and tear it back down. A copy you've never restored from is theatre, not DR.

4. Schedule quarterly restore drills and alert on copy failures

Add a CloudWatch alarm on the Backup copy-job FAILED metric so silent failures surface within an hour. Put a recurring 60-minute slot on the platform team's calendar every quarter to restore the most-recent destination recovery point of the highest-impact plan into the destination region, prove it works, and document the runbook. The drill is the whole point — everything before it is preparation.

# Add a CopyAction to an existing plan rule. Source retention 35 days, destination retention 365 days.
cat > plan.json <<'JSON'
{
  "BackupPlanName": "prod-daily",
  "Rules": [
    {
      "RuleName": "DailyRDS",
      "TargetBackupVaultName": "prod-rds-vault",
      "ScheduleExpression": "cron(0 2 * * ? *)",
      "StartWindowMinutes": 60,
      "CompletionWindowMinutes": 180,
      "Lifecycle": { "DeleteAfterDays": 35 },
      "CopyActions": [
        {
          "DestinationBackupVaultArn": "arn:aws:backup:eu-west-1:123456789012:backup-vault:prod-rds-vault-dr",
          "Lifecycle": { "DeleteAfterDays": 365 }
        }
      ]
    }
  ]
}
JSON

aws backup update-backup-plan \
  --backup-plan-id 4f8c1d2b-7a3e-4f1c-9b5a-2d8e6f0a1c34 \
  --backup-plan file://plan.json

# Confirm the next nightly run actually copied.
aws backup list-copy-jobs \
  --region eu-west-2 \
  --by-created-after $(date -u -d '24 hours ago' +%FT%TZ) \
  --query 'CopyJobs[*].{State:State,Bytes:BackupSizeInBytes,Dest:DestinationBackupVaultArn}'

Quick quiz

Question 1 of 5

You're about to add a cross-region Copy Action from eu-west-2 to eu-west-1 for an RDS backup plan. The source vault uses a customer-managed KMS key. What's the most important pre-requisite before pushing the plan change?

Keep learning

Dig deeper into AWS Backup, cross-region resilience, and the DR strategy that surrounds it.

You've completed Configure cross-region backup copy. You now know why a single-region backup posture is a category-of-one risk, how AWS Backup's Copy Action wires into a plan rule, how the KMS and cost story actually works, and how to add a destination region without breaking anything. The four-step loop — inventory, configure, verify with a real restore, and drill on a cadence — is the difference between backups that exist and backups that recover.

Back to the library

Cross-region backup copy: cost and risk in plain terms

A predictable, always-on storage charge that buys recovery when an entire AWS region fails

AWS Backup saves snapshots of databases, disks, and other resources into a vault. By default that vault sits in the same AWS region as the workload — London backups stay in London, Virginia backups stay in Virginia. That's enough protection for the everyday disasters: someone deletes a file, a bad deployment corrupts data, ransomware encrypts a volume. It does nothing for the scenario where the entire London region goes offline.

A cross-region Copy Action is a one-time configuration change that tells AWS Backup to automatically push each completed snapshot to a vault in a second region. The copy is independent — it survives the source region being completely dark. When BKP-004 flags a region, it means no such copies have been made in 30 days: every recovery point the organisation has is a single-region asset with a single-region failure mode.

The cost structure is simple and predictable: a per-GB charge for the copy operation each time a snapshot transfers, plus ongoing warm-storage cost in the destination region that mirrors source storage cost. The rough planning number is approximately 2x total backup storage spend as the steady-state increment — a number that is easy to model per backup plan and per environment tier. The decision for finance is not whether to pay it everywhere, but which backup plans are protecting workloads critical enough to justify it.

This lesson is for the finance partner who needs to understand what a cross-region backup copy actually buys, what it costs in steady state, and how to make the spend defensible. It covers the cost model (roughly 2x backup storage, plus a one-off data-transfer charge only if you restore), why this is a workload-tier decision rather than an all-or-nothing mandate, and the governance lever that keeps the posture honest: a documented tier per backup plan that maps spend to recovery requirement. No technical implementation required.

Fun fact

us-east-1's habit of taking everything with it

How a finance partner frames the cross-region backup decision

Dana is the finance partner supporting the UK fintech's platform team. At the quarterly review a continuity audit flags BKP-004: twelve backup plans running every night, none of them copying outside the London region. The engineering lead asks whether to add cross-region copies everywhere. Dana's first question is the tiering one: which of those twelve plans protect workloads that the business genuinely cannot afford to lose in a region failure, and which protect dev and test environments that could be rebuilt?

The team maps the twelve plans to business criticality in about thirty minutes. Four cover production workloads with SLA commitments to customers; two cover a financial reporting database with regulatory retention requirements; the remaining six protect non-production environments. Dana approves the cross-region copy cost on the six plans that carry real business or compliance weight. The other six stay region-local by design, with a documented reason that will survive an audit.

Dana's number for the finance pack is a small monthly increment — roughly double the source storage cost on the six critical plans — booked as a resilience operating cost rather than a surprise. The more important line is what it buys: a documented, approved answer to "can we recover if London goes dark?" for the workloads that matter. That answer used to be implicit. Now it is a policy.

Why single-region backups belong on the risk register — and what they cost to fix

The cost model for cross-region backup is unusually clean. The steady-state increment is approximately 2x the current AWS Backup storage spend for each plan you protect — there is no variable usage component beyond the per-GB copy charge at backup time and the per-GB storage charge in the destination region. For any backup plan you can forecast the annual increment precisely: take the plan's current storage cost and add roughly the same amount again. This makes a tiering decision straightforward: model the cost for each plan, map it to the criticality of the workload, approve or decline.

The contractual exposure is the part that tends to surprise at audit. SOC 2, ISO 27001, PCI DSS, and most enterprise customer agreements include geographic redundancy requirements for backup. The audit question is not "do you have backups?" — it is "where do your backups live and could you recover if the primary region failed?" A region-local-only posture fails that question for any workload covered by those frameworks. The cost to remedy it is the storage increment above; the cost of a compliance gap finding is typically much larger.

The risk-register framing that works best: each production backup plan with no cross-region copy is an open exposure with a quantifiable mitigation cost. Model both numbers — the annual increment to add the copy, and the estimated blast radius of a region failure for that workload (revenue lost, SLA penalties, recovery labour cost). For any plan where the mitigation cost is less than the expected-value of the exposure, the decision to add the copy is straightforward. The finance contribution is insisting that comparison exists before the decision is made.

Finally, note that untested cross-region copies are not full mitigation. A copy that exists but has never been restored from does not reduce the risk as much as it appears on paper. Finance should treat restore-drill cadence as a governance requirement alongside the cost, and should flag plans that have copies but no documented drill history — those carry more residual risk than the copy cost would suggest.

What finance can drive on cross-region backup coverage

Finance cannot update a Backup Plan, but it owns the framing that turns this from a nagging finding into a deliberate, costed, auditable posture. Four inputs that make the difference.

1. Require a resilience tier and cost estimate per backup plan

Before engineering adds copies everywhere, ask for a one-pager: each active backup plan, the criticality of the workloads it covers, whether it has a cross-region copy, and the annual cost increment if one were added. That inventory is the prerequisite for every other decision. Plans covering revenue-critical or compliance-subject workloads should carry the copy; plans covering dev and test should not. Finance's job is to make sure that judgment is explicit and documented, not left to whoever last touched the plan.

2. Budget the cross-region copy as a resilience operating cost

Approximately 2x the existing AWS Backup storage spend for covered plans is the right planning number, plus a one-off data-transfer charge only if a real restore occurs. Book it as resilience cost, not an anomaly — an unexpected line that looks like waste but isn't. A budget that doesn't include this cost for critical plans is implicitly choosing to carry the uninsured risk of a region failure; that choice should be visible and approved, not invisible.

3. Require documented justification for any critical plan without a copy

Any production or compliance-subject backup plan that remains region-local should have a finance-visible recorded reason — not a suppressed finding with no context. That converts a silent risk into a tracked exception that can be revisited at the next review. If the reason is cost, put the cost next to the risk: a few hundred dollars a month against the blast radius of losing that workload for days is a quantifiable trade-off, not an open question.

4. Track restore-drill completion alongside copy coverage

A cross-region copy that has never been restored from is partial mitigation at best. Finance should include a restore-drill status column in the resilience review — when was the last time a destination recovery point was actually restored and validated? Plans with copies but no drill history carry more residual risk than the coverage metric suggests. Treat "copy exists, never tested" as an amber status, not a green one.

Quick quiz

Question 1 of 5

A BKP-004 scan shows twelve backup plans with no cross-region copies — four covering production workloads with customer SLAs, two covering a financial reporting database with a five-year regulatory retention requirement, and six covering dev and test environments. How should finance frame the remediation budget?

Keep learning

Dig deeper into AWS Backup, cross-region resilience, and the DR strategy that surrounds it.

You've finished the finance partner's view of cross-region backup. You know the cost increment is predictable — roughly 2x the existing backup storage spend on the plans you protect — why this is a workload-tier decision rather than an all-or-nothing mandate, the four governance levers that keep the posture defensible (per-plan tiering, budgeted resilience cost, documented exceptions, restore-drill tracking), and why an untested copy is amber governance, not green. Next time BKP-004 surfaces, you'll have a sharper question than "how much does it cost to fix?"

Back to the library

Cross-region backup copy: the headline

Whether the organisation can recover when an entire cloud region fails — not just a single server

Cloud backups default to the same region as the workload they protect. That is fine for most failures — accidental deletes, bad deployments, a single datacenter outage. It is not fine for a region-wide failure, which has happened in every major cloud provider's largest regions. When BKP-004 fires, it means the organisation has no recovery copies outside the region where the workload runs. If that region goes dark, recovery depends on whatever data exists elsewhere — which, for most workloads, is nothing.

The leadership question is straightforward: which systems must be recoverable even if an entire AWS region fails, and has the organisation paid the cost to guarantee that? The cross-region copy costs roughly twice the existing backup storage spend. For workloads that are revenue-critical, customer-facing, or subject to continuity commitments, that cost is a policy requirement. For development and test environments it is probably waste. The risk is not in the price — it is in leaving the answer implicit.

A short read for the executive who wants to understand what BKP-004 is telling them and what the one accountability question is. You'll get a plain-English explanation of why same-region backups leave a gap, what the cost of closing that gap looks like, and what the healthy end state is: critical workloads with cross-region copies by policy, lower-stakes environments without — and every choice on the record. No implementation detail.

Fun fact

us-east-1's habit of taking everything with it

What it looks like when an organisation gets this right

At one financial services firm, the CISO used to get an uncomfortable pause whenever she asked "if our primary cloud region went down for a day, what could we recover?" The answer was technically correct — they had backups — but nobody had mapped which backups were region-local and which were genuinely portable. BKP-004 made the gap visible.

After a focused sprint, the answer changed: six production backup plans now copy to a second region every night, recovery has been tested from the destination vault, and the other six plans are intentionally region-local for non-production workloads with a documented reason. The CISO's question now has a one-page answer.

That is the right end state for this control. Not every backup copied everywhere — that would be expensive and unnecessary. Instead, a deliberate tier: workloads with real recovery commitments are protected outside the primary region by policy, lower-stakes environments are not by design, and every choice is recorded. The finding stops being a risk and becomes evidence that the organisation knows exactly what it can and cannot recover.

Why this is a board-level resilience question, not an engineering detail

The direct question this control answers is: if the AWS region where our critical workloads run failed today, how long would recovery take, and how much data would we lose? For organisations with no cross-region backup copies, the honest answer is days, not hours — and whatever data was written since the last backup, permanently. That is a material business risk for any organisation with revenue-generating or customer-facing workloads.

The second reason it reaches the executive level is contractual. Geographic redundancy is a standard requirement in SOC 2, ISO 27001, PCI DSS, and enterprise customer agreements. An auditor who finds that all backups live in the same region as the workload they protect will raise a finding regardless of how many other controls are green. That finding can delay certification, trigger customer notification obligations, or surface in due-diligence reviews.

The leadership question is not whether to spend the money across the board. Cross-region copies for dev and test environments are waste. The question is whether every workload with a real recovery commitment is protected outside its primary region by explicit policy, with the cost approved and the restore tested. A well-governed posture has both: critical workloads with cross-region copies by design, and non-critical workloads without them by design, with every choice on the record.

The leadership posture on cross-region backup

The executive handle is not to mandate copies on every backup plan — that would be wasteful and unmanageable. It is to require that every workload's recovery posture is a deliberate, recorded decision matched to the business commitment that workload carries.

1. Set policy: customer- and revenue-facing workloads get cross-region copies

Make it a standing requirement that any system with a customer SLA, a revenue dependency, or a regulatory data obligation has its backup plan configured with a cross-region copy. This default removes the per-plan debate and ensures the systems that matter are protected outside the source region by design, not by whoever happened to configure the plan. Exceptions need a named owner and a recorded reason.

2. Accept region-local backups for non-production by design

Dev, test, and sandbox backup plans are correctly region-local; paying the cross-region storage cost on environments that can be rebuilt is waste. The goal is not to copy everything — it is to have the right posture for each tier. A zero-finding dashboard on BKP-004 that was achieved by copying every plan including dev/test is not better governance; it just costs more.

3. Ask for the one-line status at each leadership review

The question that takes one minute: "Are all production and compliance-subject backup plans copying to a second region, with every exception documented and the last restore drill within the last quarter?" A consistent yes means the DR posture is governed, not accidental. A partial answer surfaces exactly where the exposure is. That is the governance signal this control is designed to produce.

Quick quiz

Question 1 of 5

Your resilience review shows all six production backup plans copying to a second region, quarterly restore drills completed, and six dev/test plans intentionally region-local with documented reasons. BKP-004 still shows six open findings for the dev/test plans. What is the right read?

Keep learning

Dig deeper into AWS Backup, cross-region resilience, and the DR strategy that surrounds it.

That's the lesson. Two takeaways: single-region backups leave a recovery gap that no amount of multi-AZ configuration closes, and the right posture is a deliberate tier — critical workloads with cross-region copies by policy, non-critical workloads without them by design, and every choice recorded. The leadership question at each review is whether the systems with real recovery commitments are protected outside their primary region and whether the last restore drill has been run. That is a one-minute check, not a technical briefing.

Back to the library

Part of the learning path Build in resilience

Configure cross-region backup copy

Cross-region backup copy: the basics

us-east-1's habit of taking everything with it

Cross-region copy in action

How AWS Backup's Copy Action actually worksdeep dive

What is the impact of single-region backups?

How do you add cross-region copy safely?

1. Inventory plans and pick the destination region

2. Pre-create the destination vault and KMS key, then update the plan

3. Verify the first copy job lands, then restore from it

4. Schedule quarterly restore drills and alert on copy failures

Quick quiz

Keep learning

Cross-region backup copy: cost and risk in plain terms

us-east-1's habit of taking everything with it

How a finance partner frames the cross-region backup decision

Why single-region backups belong on the risk register — and what they cost to fix

What finance can drive on cross-region backup coverage

1. Require a resilience tier and cost estimate per backup plan

2. Budget the cross-region copy as a resilience operating cost

3. Require documented justification for any critical plan without a copy

4. Track restore-drill completion alongside copy coverage

Quick quiz

Keep learning

Cross-region backup copy: the headline

us-east-1's habit of taking everything with it

What it looks like when an organisation gets this right

Why this is a board-level resilience question, not an engineering detail

The leadership posture on cross-region backup

1. Set policy: customer- and revenue-facing workloads get cross-region copies

2. Accept region-local backups for non-production by design

3. Ask for the one-line status at each leadership review

Quick quiz

Keep learning

Related site reliability lessons