S3 Backup Storage Setup

Every backup bucket gets created with versioning enabled, public access blocked at the account level, and server-side encryption (SSE-S3 or SSE-KMS) enforced via bucket policy. We configure S3 Object Lock in compliance mode for immutable backups when required. IAM policies follow least privilege — backup agents get s3:PutObject only, restore processes get s3:GetObject only. No wildcard permissions, no shared credentials.

We implement tiered lifecycle rules: backups less than 30 days old stay in S3 Standard, 30-90 days transition to S3 Infrequent Access (40% cheaper), and anything older moves to S3 Glacier Deep Archive (95% cheaper). Incomplete multipart uploads get aborted after 7 days. Non-current versions expire after your retention window. A typical setup cuts long-term backup storage costs by 80% compared to keeping everything in Standard.

For disaster recovery, we configure S3 Cross-Region Replication (CRR) to copy backups to a secondary region automatically. Replication rules filter by prefix or tag so you only replicate critical backups. The destination bucket has its own lifecycle rules and encryption. Replication metrics and failure alerts ensure you know immediately if replication falls behind.

CloudWatch metrics track bucket size, object count, and replication latency. S3 Storage Lens provides detailed analytics on access patterns and cost optimization opportunities. We set up alerts for: backup age exceeds threshold (no new backup in 25 hours for daily jobs), bucket size anomalies (sudden spike or drop), and access from unexpected IP ranges. S3 access logging feeds into your SIEM for audit trails.