AWS – Object Storage
Amazon S3 Backup and Recovery
Built for cloud teams
Recover Amazon S3 data to any point in time, without managing backup infrastructure. Air-gapped, immutable, and API-first from day one.
Storage tier
Restore type
Cross-region
Cross-account
01 · Why Clumio for S3
Why pick Clumio for S3
Native S3 tools and most backup vendors protect at the bucket level (all of it or none of it), and they bill you for full-bucket restores even when you only need a sliver. Six capabilities in Clumio for S3 flip that pattern.
Granular backup
Back up only what you need
Protection groups scope down to objects, prefixes, or whole buckets, with storage-class and version filters. Other tools force a bucket-level all-or-nothing decision; you either overpay or under-protect.
Granular restore
Restore only what’s broken
Recover at object, prefix, or bucket granularity, the same axes as backup. Reduces both RTO and cost by skipping full-bucket rehydration when you only need a slice.
Long-term tier
Low-cost archive tier
SecureVault Archive helps support compliance and multi-year retention at Clumio’s lowest-cost storage tier. It trades restore speed (12–48 hours) for cheaper long-term storage, so cold backups stay affordable.
Instant Access
Mount a backup, skip the restore
Spin up a read-only, S3-compatible endpoint backed by a backup. Apps resume in minutes while a full restore runs in the background. Reach via IAM role or via CloudFront for cached reads.
Backtrack
In-place restore, no resource rewiring
With Backtrack, roll the original bucket back to a previous state instead of provisioning a new one. Bucket ARN, IAM, and Terraform state stay intact. Near-instant: operates on object versions, not full copies.
Continuous RPO
Near-zero data loss
Continuous backup brings effective RPO down to ~15 minutes for active buckets, versus the hours-to-a-day floors of scheduled-only solutions. Rewind to any timestamp on restore.
New to Clumio?
Set up your AWS account first
This page assumes a connected AWS account and at least one protection group. If you haven’t done that yet, the Getting Started guide walks you through sign-up, account connection, and your first backup in under 15 minutes.
02 · Backup
How to back up S3
Group your S3 buckets into a protection group, then apply a policy that defines tier, region, and frequency. Buckets are organized into protection groups; policies attach to the group, not the bucket. (For initial AWS account setup, see the Getting Started guide.)
Create a backup policy
A policy defines frequency, retention, backup window, destination region, and tier. Minimum retention is one month for both Standard and Archive tiers. Archive tier backups deleted before six months may incur early-deletion charges. Threat scan and Backtrack are toggled here too.
Pick the right RPO, from daily down to ~15 minutes
The policy schedule sets the floor (e.g. daily). For tighter RPO, enable Continuous backup on individual buckets. Effective RPO drops to ~15 minutes on active buckets, and you can restore to any timestamp within the continuous backup window.
WORTH KNOWING
Continuous backup can be toggled on unprotected buckets, but nothing is captured until that bucket is in a protection group with a valid policy and the seed backup finishes. Point-in-time Instant Access requires Continuous backup.
Choose a tier (SecureVault Standard, Archive, or Backtrack)
SecureVault Standard
Air-gapped secondary copy in Clumio’s vault. Fast restore. Supports Instant Access. Use for ransomware recovery and short-to-mid-term retention.
SecureVault Archive
Lower-cost long-term tier for compliance/archival use. Restore takes 12–48 hours. No Instant Access. Early-deletion charge if retained < 6 months.
Backtrack is a separate, in-account option that uses S3 versioning to roll a bucket back to a prior state. It lives alongside SecureVault rather than replacing it. Requires S3 Versioning enabled on the bucket; not compatible with Glacier classes (except Glacier Instant Retrieval); bulk undo-delete requires continuous backup.
Choose a region (in-region or out-of-region)
By default, Clumio stores backups in the same region as the source bucket. You can target a different region for cross-region durability, which adds AWS data transfer cost. The target region is set on the policy and inherited by the protection group.
Once a policy with a target region is applied, that region is locked for the protection group and its child buckets. To change region, create a new protection group + policy and migrate.
Pick your backup granularity
Granularity is defined in the protection group’s Advanced options: filter by Storage Class (e.g., Standard only, exclude Glacier), choose all versions or latest version at backup time, and include or exclude one or more Prefixes. Use a trailing slash to include everything under a prefix (e.g. dblogs/); exclude sub-prefixes as needed. This is how you carve up a large bucket without backing up content you don’t need.
03 · Restore
How to restore S3
An S3 restore comes down to three choices: when to recover from, what to recover, and where it lands.
WHENWhen — Pick the recovery point
An exact timestamp from continuous capture, or a discrete backup point from the calendar.
An exact timestamp from continuous capture, or a discrete backup point from the calendar.
Pick a specific backup from the protection group’s calendar. Each dot is one captured point. Partial backups display as half-dots so you can avoid incomplete points.
WHATPick the granularity
From single objects up to whole buckets, with the same workflow.
Restore one (or many) specific object keys, optionally pinned to a specific version. Use Global Search to filter across the protection group when you don’t already know the keys.
Restore everything under a prefix. Use a trailing slash (e.g., dblogs/) to include all descendants; pair with exclude filters to leave sub-prefixes behind.
Restore one or more entire buckets, up to 50 buckets in a single batched operation from a protection-group calendar point.
WHEREPick the destination
Restore back into the source bucket or land somewhere else entirely.
Roll the original bucket back to a previous state, same bucket, same account. Two flavors: bucket rollback via S3 Versioning, and bulk undo of delete markers (requires Continuous backup). Preserves bucket ARN, IAM, and Terraform state. Near-instant, because it operates on object versions rather than full copies.
Restore to a different bucket, region, or AWS account. Pick the target account, region, bucket, storage class, an optional prefix, and custom tags so the restored objects don’t collide with live data. Cross-region adds AWS data transfer fees.
Instant AccessMount the backup, skip the restore
Read-only S3-compatible endpoint backed by your backup data. Apps resume in minutes while a full restore (if you need one) runs in the background. SecureVault Standard tier only.
Pick a backup dot on the calendar, then Restore > Instant Access. Optionally filter objects, choose latest-only or all versions, set expiration from 5 to 30 days. “Calculate object count and cost” surfaces the per-day credit cost.
Same flow, requires Continuous backup enabled on the bucket. Pick a specific timestamp instead of a calendar day; Clumio assembles the point-in-time view from the continuous capture chain. Same filter and expiration options apply.
IAM role: copy the permissions policy from Clumio, attach inline on a role in your AWS account, paste the ARN back. CloudFront: copy Clumio’s origin domain, add an Origin Access Control with signing, return the ARN.
05 · Common questions
Frequently asked questions
Questions from engineers setting up S3 protection or troubleshooting restores.
How long does the initial seed backup take for a large S3 bucket?
Depends on object count and total size. There is no hard cap on bucket size (Clumio runs at exabyte scale) and the crawl is parallelized, but huge buckets (billions of objects, petabytes) can still take hours to days for the first seed. Subsequent backups are incremental-forever and finish in minutes at typical change rates. You can monitor seed progress in the console under Protection groups.
Is there a minimum retention period, and how do early-deletion charges work?
Yes. Both SecureVault Standard and Archive tiers have a one-month minimum retention. Archive-tier backups deleted before six months trigger an early-deletion charge from Clumio (this is a Clumio charge, not an AWS pass-through), so size retention windows accordingly when picking Archive for compliance or long-term workloads. If your retention requirement is shorter than six months, keep the data in Standard; the savings from Archive only show up at longer retention horizons.
How long does a restore from the Archive tier take?
Archive-tier restores typically run 12 to 48 hours, depending on object count and size. For time-sensitive recovery, keep recent backups in SecureVault Standard. Standard restores complete in minutes and support Instant Access, which Archive does not. A common pattern is Standard for the last 30–90 days and Archive for everything older.
Can I restore S3 objects to a different AWS account?
Yes. Cross-account restore is supported for Amazon S3. Pick the target account during restore setup. The account must have a Clumio connector installed and trust established. No dependency on the source account being healthy, which makes this useful for ransomware recovery scenarios.
What’s the RPO if I enable Continuous backup?
Effective RPO is ~15 minutes on buckets with Continuous backup enabled. You can restore to any timestamp within the Continuous backup window.
Does Backtrack replace a SecureVault backup or work alongside it?
Backtrack works alongside SecureVault, not instead of it. SecureVault stores an air-gapped copy outside your AWS account for ransomware and account-compromise scenarios. Backtrack is an in-account mechanism that uses S3 Versioning to roll a bucket back in place — faster, but within your account boundary. Most teams run both: SecureVault for isolation and long-term retention, Backtrack for rapid in-place rollbacks.
Will a Clumio restore create a new bucket or restore into the existing one?
It depends on the restore type. Backtrack restores in-place into the original bucket — no new resource is created, and bucket ARN, IAM policies, and Terraform state remain intact. All other restore types (out-of-place, cross-account, cross-region) write to a destination bucket you specify. Instant Access mounts a read-only endpoint without writing to any bucket until you trigger a full restore.
Which S3 storage classes are supported?
Most classes are supported: S3 Standard, S3 Standard-IA, S3 One Zone-IA, S3 Intelligent-Tiering (Frequent, Infrequent, and Archive Instant Access tiers), Glacier Instant Retrieval, and Reduced Redundancy. The exclusions: Glacier Flexible Retrieval and Glacier Deep Archive are not supported. Objects in the Archive Access and Deep Archive Access tiers of Intelligent-Tiering also fail to back up. If you rely on Clumio for protection, keep objects out of those classes; Clumio treats them as missing and does not retry.
06 · Related resources
Go deeper
Blog posts and reference material for teams building on Clumio S3 protection.
Blog
How the Move to Clumio Delivered 66.7% Savings on AWS Backups
xyzt.ai replaced native AWS snapshots with Clumio and cut backup spend by two thirds — a direct walkthrough of what changed and what the numbers looked like.
Blog
Automating AWS Data Protection with Terraform and Clumio
Why backup belongs in your IaC pipeline — wiring S3 account connections, policies, and tag-based protection rules from Terraform, and the operational gains that follow.
Whitepaper
Secure, Immutable, Air-Gapped Data Protection with Clumio
A technical deep-dive into the vault architecture — per-customer isolation, immutability enforcement, and why the air-gap model outperforms account-resident backup for ransomware recovery.