Skip to content

AWS · Compute & Block Storage

Amazon EC2 / EBS

Built for cloud teams

Air-gapped backup and recovery for Amazon EC2 instances and EBS volumes. Full instance restore, file and folder recovery, and cross-account or cross-region recovery for ransomware response.

Storage tier

SecureVault Standard
Lite

Restore type

EC2 instance
EBS volume
AMI
File-level

Cross-region

Supported

Cross-account

Supported

01 · Why Clumio for EC2 / EBS

Why pick Clumio for EC2 / EBS

Native EBS snapshots provide point-in-time recovery, but organizations often need additional capabilities for centralized protection, long-term retention, and cyber resilience. Clumio helps simplify those requirements through a cloud-native, managed protection architecture.

Agent-less

No agents, no backup infrastructure

Clumio runs entirely outside your AWS account. Nothing installs on EC2 instances, no proxy hosts to maintain, no backup servers to size or patch. The connector discovers instances and snapshots volumes through AWS APIs, so protection is designed to add no CPU or memory load to your workloads.

Flexible

Three recovery paths

Restore a full EC2 instance (with attached volumes, network configuration, and tags), create an AMI for launching new instances, or recover just the EBS volumes. Pick the granularity that fits the recovery scenario.

File-level

Browse and restore individual files

Search the indexed file system of any backup, or across multiple backups, to find the file or folder you need before restoring. No mounting, no full instance or volume rehydration. Useful for accidental deletion, single-file recovery, or targeted rollback.

Snapshot migration

EBS snapshot migration

Existing EBS snapshots in your AWS account can be ingested into the Clumio vault, helping preserve the recovery points you’ve already created while moving them out of the source account into immutable, long-term storage.

Snapshot orchestration

EBS in-account snapshot orchestration

Drive native EBS snapshot lifecycle from the same policy that controls air-gapped backups. Clumio schedules and ages out in-account snapshots for fast operational rollbacks, then pairs them with off-account SecureVault copies designed to help protect against ransomware, all governed by one policy.

Air-gapped vault

Designed to survive account compromise

SecureVault backups sit in Clumio’s immutable, off-account vault. If the source AWS account is compromised, or an admin deletes the EC2 instance or EBS volume, the backup is designed to remain available and restorable into any account.

New to Clumio?

Set up your AWS account first

This page assumes a connected AWS account with at least one EC2 instance or EBS volume. If you haven’t done that yet, the Getting Started guide walks you through sign-up, account connection, and first backup in about thirty minutes.

02 · Backup

How to back up EC2 / EBS

EC2 instances and EBS volumes live across one or more AWS accounts and regions. Clumio discovers both, captures instance metadata alongside volume snapshots, and preserves attached configuration end-to-end.

01

Create a backup policy

Use an EC2 instance policy, an EBS volume policy, or both side-by-side, depending on what you’re protecting. An EC2 policy captures the instance plus its attached volumes, network configuration, tags, and AMI metadata as a single transactionally consistent recovery point. An EBS policy operates directly on standalone volumes. Either kind can also include an optional in-account snapshot orchestration schedule alongside the air-gapped backup schedule, so native EBS snapshots and SecureVault copies are governed by the same policy.

Protect → Backup policies → 

02

Pick the right RPO

The policy schedule sets the cadence (daily, weekly, monthly, or yearly), with an optional start time and an optional backup window that constrains when runs can begin. The available cadences depend on the chosen tier: SecureVault Standard supports the full range, while SecureVault Lite has minimums on RPO cadence and retention length. The seed transfers a full snapshot of each attached volume; subsequent runs are incremental-forever at the block level.

03

Choose a tier (SecureVault Standard or Lite)

EC2 and EBS backups can land in either of two air-gapped tiers. Pick based on how long you need to keep the data and whether file-level recovery is needed. Once a backup is written to a tier, it stays in that tier; data does not move between Standard and Lite.

SecureVault Standard

Air-gapped tier sized for operational recovery. Supports the full range of RPO cadences and retention lengths, with file-level indexing built in, so file-level restores work out of the box. The default for most workloads. 

SecureVault Lite

Lower-cost air-gapped tier with the same off-account isolation as Standard. The price reduction comes from minimums on RPO cadence and retention length, and file-level indexing is not included, so file-level restores aren’t available on this tier. Restore performance otherwise matches Standard. 

Protect → EC2 / EBS policies → Backup tier → 

04

Choose a region (in-region or out-of-region)

By default, backups land in the same region as the source. Target a different region on the policy for cross-region durability; standard data transfer charges may apply.

05

Apply the policy with protection rules

Once the policy is saved, use protection rules to apply it. Target instances and volumes directly, or scope by account, region, name, or tag. Resources can also be excluded by tag for fine-grained control. The seed backup runs first; subsequent backups are incremental.

Set up → Protection rules → 

03 · Restore

How to restore EC2 / EBS

An EC2 / EBS restore comes down to three choices: when to recover from, what to recover, and where it lands.

WHENPick the recovery point

Three sources of recovery points, chosen from the protection-history calendar on the resource detail page.

SecureVault Standard backup

Pick a Standard dot on the calendar. Air-gapped copy outside your AWS account, with file-level indexing for granular file recovery. Recommended for ransomware response, account-compromise scenarios, and routine restore to a new instance or volume.

Restore → Instance → SecureVault 

SecureVault Lite backup

Pick a Lite dot for long-retention compliance restores. Same air-gapped isolation as Standard at lower cost; file-level recovery is not available on this tier, so plan for instance or volume granularity.

Restore → Instance → SecureVault 

In-account EBS snapshot

Pick a snapshot from the Clumio-orchestrated in-account snapshot lifecycle. Typically the fastest restore option of the three, with no cross-region transfer, ideal for operational rollbacks when the source account is healthy. Requires in-account snapshot orchestration enabled on the policy.

Restore → Instance → Snapshot

WHATPick the granularity

From a full instance down to a single file, with the same workflow.

EC2 instance recovery

Whole-instance restore with attached EBS volumes, network configuration, tags, and AMI metadata all preserved. The default for complete recovery, bringing an instance back to operational state.

Recovery as an AMI

Create an AMI from the backup, then launch new instances from it. Useful for spinning up multiple replicas of a known-good state, cross-account sharing, or golden-image workflows.

EBS volume recovery

Restore individual EBS volumes without rebuilding the entire instance. Useful when only specific data volumes need to be rolled back, or when attaching recovered data to a different instance.

File-level recovery

Search one backup or across many for the file or folder you need, then pull it without a full instance or volume restore. Useful for accidental deletion, single-file recovery, or grabbing a configuration file from a known-good state. Available on SecureVault Standard backups only.

WHEREPick the destination

Restore to a new resource in the source account or land in a different account or region.

Same account, same or different region

Restore to a new EC2 instance, AMI, or EBS volume in the source account. Pick the target region (defaults to the source), set the VPC, subnet, security groups, resource name, and tags as needed, then confirm. Cross-region restore from a same-region backup is supported and adds data transfer fees.

Restore → Same-account

Cross-account (any region)

Restore to a target AWS account, useful for ransomware recovery, environment promotion, or staging refreshes. The target account must have a Clumio connector installed and a reachable VPC and subnet in the destination region. No dependency on the source account being healthy. Not available for orchestrated in-account snapshots, which restore only within the source account.

Restore → Cross-account

05 · Common questions

Frequently asked questions

Questions from engineers setting up EC2 / EBS protection or troubleshooting restores. 

Are Clumio EC2 / EBS backups incremental, or does every backup capture the full instance?

Both kinds of backup are incremental at the block level. EC2 instance backups seed with a full snapshot of every attached volume and then capture only the changed blocks across all attached volumes on each subsequent run; instance metadata (network configuration, tags, AMI ID) is captured every time so the recovery point stays complete. EBS volume backups work the same way on a single volume at a time. Blocks already in air-gapped storage are referenced rather than re-uploaded.

Which operating systems, instance types, and EBS volume types does Clumio support?

Clumio supports most current EC2 instance families and most general-purpose, provisioned-IOPS, and throughput-optimized EBS volume types (gp2, gp3, io1, io2, st1, sc1). Both Linux and Windows guests are supported, including KMS-encrypted volumes when the source key is accessible to the Clumio connector role during backup. The connector inventories instances during account discovery; nothing is installed on the guest itself.

Can I auto-protect new EC2 instances and EBS volumes by tag or naming pattern?

Yes. Protection rules target EC2 instances and EBS volumes by AWS tag, name pattern, account, or region. New resources that match a rule are auto-attached to the policy at the next discovery cycle, so newly launched infrastructure is protected without manual onboarding.

Can I create an AMI from a Clumio EC2 backup?

Yes. EC2 backups can be restored as AMIs, letting you launch new instances from the recovered state. Useful for spinning up replicas, cross-account image sharing, or building golden-image workflows from a known-good capture point.

What does file-level recovery support? Encrypted volumes, LVM, Windows file systems?

File-level recovery indexes the guest file system at backup time, so you can search across one or many backups for the path or filename you need before kicking off a restore. Common Linux and Windows file systems are supported, such as ext4, XFS, and NTFS. KMS-encrypted EBS volumes are supported when the source key is accessible to the Clumio connector role during backup.

06 · Related resources

Go deeper

Blog posts and reference material for teams building on Clumio Amazon EC2 / EBS protection. 

Blog

Clumio Backup & Recovery for Amazon EC2 and EBS

AWS launched an additional set of EBS direct APIs that enable customers to create and write directly to EBS snapshots.

Blog

Exploring the Benefits of Amazon EC2-Other for Cloud Computing

Dive into the world of Amazon EC2-Other and unveil how these lesser-known yet powerful instances can revolutionize your cloud computing experience.

Solution Brief

Clumio Backup & Recovery for Amazon EC2 and EBS

Clumio helps simplify AWS cyber resilience – efficiently and cost-effectively.