Skip to content

AWS – Object Storage

Amazon S3 Backup and Recovery

Built for cloud teams

Recover Amazon S3 data to any point in time, without managing backup infrastructure. Air-gapped, immutable, and API-first from day one.

Storage tier

SecureVault Standard
Archive

Restore type

Granular
Full
In-place (Backtrack)
Instant Access

Cross-region

Supported (out-of-region)

Cross-account

Supported

01 · Why Clumio for S3

Why pick Clumio for S3

Native S3 tools and most backup vendors protect at the bucket level (all of it or none of it), and they bill you for full-bucket restores even when you only need a sliver. Six capabilities in Clumio for S3 flip that pattern.

Granular backup

Back up only what you need

Protection groups scope down to objects, prefixes, or whole buckets, with storage-class and version filters. Other tools force a bucket-level all-or-nothing decision; you either overpay or under-protect. 

Granular restore

Restore only what’s broken

Recover at object, prefix, or bucket granularity, the same axes as backup. Reduces both RTO and cost by skipping full-bucket rehydration when you only need a slice.

Long-term tier

Low-cost archive tier

SecureVault Archive helps support compliance and multi-year retention at Clumio’s lowest-cost storage tier. It trades restore speed (12–48 hours) for cheaper long-term storage, so cold backups stay affordable.

Instant Access

Mount a backup, skip the restore

Spin up a read-only, S3-compatible endpoint backed by a backup. Apps resume in minutes while a full restore runs in the background. Reach via IAM role or via CloudFront for cached reads. 

Backtrack

In-place restore, no resource rewiring

With Backtrack, roll the original bucket back to a previous state instead of provisioning a new one. Bucket ARN, IAM, and Terraform state stay intact. Near-instant: operates on object versions, not full copies. 

Continuous RPO

Near-zero data loss

Continuous backup brings effective RPO down to ~15 minutes for active buckets, versus the hours-to-a-day floors of scheduled-only solutions. Rewind to any timestamp on restore. 

New to Clumio?

Set up your AWS account first

This page assumes a connected AWS account and at least one protection group. If you haven’t done that yet, the Getting Started guide walks you through sign-up, account connection, and your first backup in under 15 minutes. 

02 · Backup

How to back up S3

Group your S3 buckets into a protection group, then apply a policy that defines tier, region, and frequency. Buckets are organized into protection groups; policies attach to the group, not the bucket. (For initial AWS account setup, see the Getting Started guide.) 

01

Create a backup policy

A policy defines frequency, retention, backup window, destination region, and tier. Minimum retention is one month for both Standard and Archive tiers. Archive tier backups deleted before six months may incur early-deletion charges. Threat scan and Backtrack are toggled here too. 

Protect → Backup policies →

02

Pick the right RPO, from daily down to ~15 minutes

The policy schedule sets the floor (e.g. daily). For tighter RPO, enable Continuous backup on individual buckets. Effective RPO drops to ~15 minutes on active buckets, and you can restore to any timestamp within the continuous backup window.

WORTH KNOWING

Continuous backup can be toggled on unprotected buckets, but nothing is captured until that bucket is in a protection group with a valid policy and the seed backup finishes. Point-in-time Instant Access requires Continuous backup.

03

Choose a tier (SecureVault Standard, Archive, or Backtrack)

SecureVault Standard

Air-gapped secondary copy in Clumio’s vault. Fast restore. Supports Instant Access. Use for ransomware recovery and short-to-mid-term retention. 

SecureVault Archive

Lower-cost long-term tier for compliance/archival use. Restore takes 12–48 hours. No Instant Access. Early-deletion charge if retained < 6 months. 


Backtrack is a separate, in-account option that uses S3 versioning to roll a bucket back to a prior state. It lives alongside SecureVault rather than replacing it. Requires S3 Versioning enabled on the bucket; not compatible with Glacier classes (except Glacier Instant Retrieval); bulk undo-delete requires continuous backup.

Protect → S3 policies → Backup tier →

04

Choose a region (in-region or out-of-region)

By default, Clumio stores backups in the same region as the source bucket. You can target a different region for cross-region durability, which adds AWS data transfer cost. The target region is set on the policy and inherited by the protection group. 

Once a policy with a target region is applied, that region is locked for the protection group and its child buckets. To change region, create a new protection group + policy and migrate.

05

Pick your backup granularity

Granularity is defined in the protection group’s Advanced options: filter by Storage Class (e.g., Standard only, exclude Glacier), choose all versions or latest version at backup time, and include or exclude one or more Prefixes. Use a trailing slash to include everything under a prefix (e.g. dblogs/); exclude sub-prefixes as needed. This is how you carve up a large bucket without backing up content you don’t need.

Set up → Protection groups → Advanced options →

03 · Restore

How to restore S3

An S3 restore comes down to three choices: when to recover from, what to recover, and where it lands.

WHENWhen — Pick the recovery point

An exact timestamp from continuous capture, or a discrete backup point from the calendar.

Point-in-time restore

An exact timestamp from continuous capture, or a discrete backup point from the calendar.

Restore → Bucket → Point-in-time 

Restore from a selected backup

Pick a specific backup from the protection group’s calendar. Each dot is one captured point. Partial backups display as half-dots so you can avoid incomplete points.

Restore → Protection group → Calendar

WHATPick the granularity

From single objects up to whole buckets, with the same workflow.

Object Pick the recovery point

Restore one (or many) specific object keys, optionally pinned to a specific version. Use Global Search to filter across the protection group when you don’t already know the keys.

Prefix Prefix

Restore everything under a prefix. Use a trailing slash (e.g., dblogs/) to include all descendants; pair with exclude filters to leave sub-prefixes behind.

Bucket

Restore one or more entire buckets, up to 50 buckets in a single batched operation from a protection-group calendar point.

WHEREPick the destination

Restore back into the source bucket or land somewhere else entirely.

In-place restore via Backtrack

Roll the original bucket back to a previous state, same bucket, same account. Two flavors: bucket rollback via S3 Versioning, and bulk undo of delete markers (requires Continuous backup). Preserves bucket ARN, IAM, and Terraform state. Near-instant, because it operates on object versions rather than full copies.

Restore → Backtrack 

Out-of-place (cross-region or cross-account)

Restore to a different bucket, region, or AWS account. Pick the target account, region, bucket, storage class, an optional prefix, and custom tags so the restored objects don’t collide with live data. Cross-region adds AWS data transfer fees. 

Restore → Filters & targets

Instant AccessMount the backup, skip the restore

Read-only S3-compatible endpoint backed by your backup data. Apps resume in minutes while a full restore (if you need one) runs in the background. SecureVault Standard tier only.

From a scheduled backup

Pick a backup dot on the calendar, then Restore > Instant Access. Optionally filter objects, choose latest-only or all versions, set expiration from 5 to 30 days. “Calculate object count and cost” surfaces the per-day credit cost.

From a continuous point-in-time

Same flow, requires Continuous backup enabled on the bucket. Pick a specific timestamp instead of a calendar day; Clumio assembles the point-in-time view from the continuous capture chain. Same filter and expiration options apply.

Access path: IAM role or CloudFront

IAM role: copy the permissions policy from Clumio, attach inline on a role in your AWS account, paste the ARN back. CloudFront: copy Clumio’s origin domain, add an Origin Access Control with signing, return the ARN.

05 · Common questions

Frequently asked questions

 

Questions from engineers setting up S3 protection or troubleshooting restores. 

How long does the initial seed backup take for a large S3 bucket?

Depends on object count and total size. There is no hard cap on bucket size (Clumio runs at exabyte scale) and the crawl is parallelized, but huge buckets (billions of objects, petabytes) can still take hours to days for the first seed. Subsequent backups are incremental-forever and finish in minutes at typical change rates. You can monitor seed progress in the console under Protection groups.

Is there a minimum retention period, and how do early-deletion charges work?

Yes. Both SecureVault Standard and Archive tiers have a one-month minimum retention. Archive-tier backups deleted before six months trigger an early-deletion charge from Clumio (this is a Clumio charge, not an AWS pass-through), so size retention windows accordingly when picking Archive for compliance or long-term workloads. If your retention requirement is shorter than six months, keep the data in Standard; the savings from Archive only show up at longer retention horizons.

How long does a restore from the Archive tier take?

Archive-tier restores typically run 12 to 48 hours, depending on object count and size. For time-sensitive recovery, keep recent backups in SecureVault Standard. Standard restores complete in minutes and support Instant Access, which Archive does not. A common pattern is Standard for the last 30–90 days and Archive for everything older.

Can I restore S3 objects to a different AWS account?

Yes. Cross-account restore is supported for Amazon S3. Pick the target account during restore setup. The account must have a Clumio connector installed and trust established. No dependency on the source account being healthy, which makes this useful for ransomware recovery scenarios.

What’s the RPO if I enable Continuous backup?

Effective RPO is ~15 minutes on buckets with Continuous backup enabled. You can restore to any timestamp within the Continuous backup window.

Does Backtrack replace a SecureVault backup or work alongside it?

Backtrack works alongside SecureVault, not instead of it. SecureVault stores an air-gapped copy outside your AWS account for ransomware and account-compromise scenarios. Backtrack is an in-account mechanism that uses S3 Versioning to roll a bucket back in place — faster, but within your account boundary. Most teams run both: SecureVault for isolation and long-term retention, Backtrack for rapid in-place rollbacks.

Will a Clumio restore create a new bucket or restore into the existing one?

It depends on the restore type. Backtrack restores in-place into the original bucket — no new resource is created, and bucket ARN, IAM policies, and Terraform state remain intact. All other restore types (out-of-place, cross-account, cross-region) write to a destination bucket you specify. Instant Access mounts a read-only endpoint without writing to any bucket until you trigger a full restore.

Which S3 storage classes are supported?

Most classes are supported: S3 Standard, S3 Standard-IA, S3 One Zone-IA, S3 Intelligent-Tiering (Frequent, Infrequent, and Archive Instant Access tiers), Glacier Instant Retrieval, and Reduced Redundancy. The exclusions: Glacier Flexible Retrieval and Glacier Deep Archive are not supported. Objects in the Archive Access and Deep Archive Access tiers of Intelligent-Tiering also fail to back up. If you rely on Clumio for protection, keep objects out of those classes; Clumio treats them as missing and does not retry.

06 · Related resources

Go deeper

Blog posts and reference material for teams building on Clumio S3 protection. 

Blog

How the Move to Clumio Delivered 66.7% Savings on AWS Backups

xyzt.ai replaced native AWS snapshots with Clumio and cut backup spend by two thirds — a direct walkthrough of what changed and what the numbers looked like. 

Blog

Automating AWS Data Protection with Terraform and Clumio

Why backup belongs in your IaC pipeline — wiring S3 account connections, policies, and tag-based protection rules from Terraform, and the operational gains that follow. 

Whitepaper

Secure, Immutable, Air-Gapped Data Protection with Clumio

A technical deep-dive into the vault architecture — per-customer isolation, immutability enforcement, and why the air-gap model outperforms account-resident backup for ransomware recovery.