EC2 backup protects against ransomware and reduces AWS storage costs

Akshay Panchmukh, Product Manager

Amazon’s Elastic Compute Cloud (EC2) instances are widely used for running applications on Amazon Web Services (AWS) infrastructure. According to AWS — “Amazon EC2 offers a highly reliable environment where replacement instances can be rapidly and predictably commissioned. The service runs within Amazon’s proven network infrastructure and data centers. The Amazon EC2 Service Level Agreement commitment is 99.99% availability for each Amazon EC2 Region.” 

Many top businesses, like Netflix and Pfizer, rely on EC2 instances to scale their business with best-in-class cloud computing power. As much as it is important to scale up the environment, it is equally important for such businesses to be highly available in all situations. This leads enterprises to take point-in-time snapshot copies of data to build a business continuity strategy for dealing with potential disasters or ransomware attacks.

Usually, enterprises would use cross-region and cross-account snapshot copies of their EC2 data as the primary strategy to protect themselves from internal and external threats. However, this comes with a hefty price to keep their data available. Standard EBS snapshot storage is charged at $0.05 per GB, which can add up to a huge amount for enterprises that have petabytes of data across their multitudes of AWS accounts. Standard Amazon EBS snapshots are created in the same region as the source, in the same AWS account — which poses a greater risk of backups being affected by ransomware, insider threats, or accidental deletion. Customers are now looking for secure, encrypted, and air-gapped backups that are isolated from their primary production environment to ensure business continuity.

Druva not only provides an air-gapped backup of EC2 instances and attached (or unattached) EBS volumes, but also provides a cost-effective solution for its customers which can reduce TCO up to 50% when compared with storing EC2 snapshots in AWS. Druva uses global source-side deduplication to compress encrypted and non-encrypted data without storing customers’ ekeys, and always follows best-in-class industry-level security standards. By backing up Amazon EC2 data to the Druva Data Resiliency Cloud, organizations reduce the operational complexity of managing multiple snapshot copies in AWS. You can leverage additional features like policy immutability, app-consistent backups, and manual deletion prevention, and in addition, there are no worker instances that need to be spun in the customer’s account. Druva takes care of that. That’s right! This means no hidden charges!

We’ll walk through how simple it is to create secure, air-gapped backups using the Druva Data Resiliency Cloud for your Amazon EC2 workloads. 

How it works

EC2 Backup

Step 1: Provision Cloud Storage

1. Log into your Druva Native Workloads (CloudRanger) console for AWS and navigate to the Account for which you wish to set up storage. Click the gear icon on the top navigation bar.

2. Click Druva Cloud to be directed to the Druva Storage page.

Request for storage

3. Click Provision Storage to request a new Druva Cloud Storage.

Provision storage

4. Select the Druva Storage Region you would like to store your data in and specify an appropriate Storage Name.

 The Storage request, once initiated, triggers a Support ticket to provision the storage on Druva Cloud.

Once complete, the Storage listing page will list all available Cloud Storage with the relevant Status

  • Requested: Indicates that a new Storage has been requested and is pending approval. Once approved, the status is updated accordingly.
  • Access Provided: Indicates that the request has been approved and Cloud Storage has been provisioned in the Region specified. 
  • Access Denied: Indicates that the storage request has been denied for specific reasons. For more information, contact your Druva Account Manager or Support.

Step 2: Storage rules

Storage Rules help create a mapping between the Druva Data Resiliency Cloud and your AWS resources within specific Regions and Accounts. Once you identify the AWS resources to be backed up to Druva Cloud, the Storage Rules direct the data backups to the appropriate Druva Data Resiliency Cloud Region provisioned within your chosen Account. 

In other words, use storage rules to direct specific resource backups to the appropriate Druva Data Resiliency Cloud Storage.

To define Storage Rules:

1. Log into your Druva Native Workloads (CloudRanger) console and navigate to the Account for which you wish to configure storage rules. Click the gear icon on the top navigation bar.

2. Click Druva Cloud to be directed to the Druva Storage page.

3. On the Storage Rules tab, click Add Storage Rule.

  • Select the Account and AWS Region to filter resources to be backed up from.
  • Select the Druva Storage name to assign the storage for all backups generated from the resources filtered within the selected Account and Region.
Storage rules

Step 3: Add credentials

The Client Credentials enable access to your AWS Key Management System (AWS KMS) to generate and manage the data encryption key (ekey). The ekey, once generated, is used to encrypt the user data that is then backed up to Druva Cloud. 

Note: This is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store the ekey of users and has no access to the data.

To get started with ekey management, you will need to import the relevant credentials to your Druva CloudRanger account.

1. Log into your Druva Native Workloads (CloudRanger) console and navigate to the Account for which you wish to configure Client Credentials. Click the gear icon on the top navigation bar.

2. Click Druva Cloud to be directed to the Druva Storage page.

3. On the Client Credentials tab, click Create Client Credentials.

4. On the Add Credential page, specify the following:

  • Select the Account and AWS Region for which you wish to generate the key credentials.

NOTE: This is just the location where the client credentials will be stored, and these can be used for any accounts/region within the organization. There is no need for creating client credentials in every region/account.

  • The Parameter Store Name automatically displays the appropriate AWS Parameter Store within which the credentials are stored.
Add credential

Step 4: Create Backup policies to move EC2 Backups to Druva Data Resiliency Cloud

Druva Cloud-enabled backup policies let you select an automatic schedule to create EC2 backups per the required retention.


Step 5: Check your EC2 Backups in Druva Data Resiliency Cloud

Once the EC2 backups are created using the global policies, you will see those backups on our backup listing page.

In the ‘Location’ column, you will find ‘Druva Cloud’ in place of the EC2 Backups which have moved to Druva Cloud.


Step 6: Restore from Druva Data Resiliency Cloud

For any operational or troubleshooting purpose, if you need to restore your EC2 backups in the Druva Cloud you can simply select the backup from the EC2 backup listing page and then select ‘Restore’.

You can restore the EC2 Backup as a volume or an instance.

Restore as an instance


Cross-account and cross-region snapshots provide a level of resilience against cyber attacks and disasters, but they also increase costs and complexity. Druva removes the need for cross-account and cross-region snapshots and provides air-gapped backups for superior protection against ransomware with an up to 50% reduction in TCO. 

You can also leverage Druva’s recent security enhancements for AWS native workloads, such as manual deletion prevention and policy immutability, to keep your data safe in Druva Data Resiliency Cloud. Additionally, you can create application-consistent backups for Amazon EC2 resources using pre- and post-scripts.

Key takeaways

Thousands of organizations leverage Amazon EC2 to build and run applications with speed and confidence, but as they expand their cloud footprint, data visibility, protection, and recovery often become costly and complex challenges. The latest innovations within the Druva Data Resiliency Cloud highlight how Druva can address these pain points and is helping businesses unlock even more value in the cloud through a radically simplified approach.


We’re excited about the release of our EC2 backup capabilities for both AWS and Druva customers. Druva’s cloud backup capabilities for Amazon EC2 workloads will be generally available via the Druva Data Resiliency Cloud this Spring 2022. 

Learn more about what Druva can do for your AWS environment on the Druva website.