Skip to main content



How can we help you?


Druva Documentation

Create Backup Policies

Heads up!

We've transitioned to a new documentation portal to serve you better. Access the latest content by clicking here.

Step-by-step guide on how to create a backup policy for your AWS workloads in Druva CloudRanger.

This article provides a step-by-step guide on how to create a backup policy for your AWS workloads in Druva CloudRanger. You can create policies to backup your Amazon EBS, EC2, RDS, and Redshift resources. 

To create a backup policy:

Step 1: On the top navigation bar, select Policies, and then click Create Backup Policy.


Step 2: Specify the following policy Setup information: 
  • Add a Name and a brief Description of your policy. 
  • Select the Snapshot + Backup to Druva Cloud check box to move snapshots to Druva Cloud for all resources specified within the policy.

Note: Ensure that you have provisioned your Druva Cloud Storage and configured appropriate Storage Rules. A backup policy defined to move snapshots to Druva Cloud will be executed only when a corresponding Storage Rule is available. For more information, see Provision Storage on Druva Cloud and Configure Storage Rules.

Step 3: Specify the backup Schedule.


  • Specify the backup Frequency.

    • Create backup every: Choose the backup frequency by day, week, month, or year.
      Backup every week on Monday every hour at 50 minutes past the hour.
      Backup every month on the 1st day of the month every 30 minutes.

    • Backup Window [Optional]: Specify the backup from and to time in HH:MM notation.
      Note: This field applies only if you specify weekly backup every hour in the Create Backup Every field.

    • Time Zone: Select the time zone that applies to the backup frequency specified.

  • Click Save & Continue.
Step 4: Specify the Resources for backup.
  • On the Resources tab, click Add to identify resources that you wish to include in the backup.
  • On the Identify Resources page, specify the filter criteria to identify specific resources to include or exclude:

Note: Leverage AWS Tags to add multiple AWS resources to a particular Druva backup policy, rather than create multiple include rules to add AWS resources.

As a best practice, we recommend that you use AWS Tags to add resources to a backup policy using a single rule.

How Include/Exclude conditions apply on Druva management console:
  • Include rules: When multiple include rules are defined, this translates to an ‘OR’ condition. In other words, resources are matched against each include rule, and do not have to meet all specified conditions concurrently.
  • Exclude rules: Exclude rules take precedence when the same resource is matched based on the include and exclude criteria selected.
    An exception to this is when an EC2 resource is selected within include and an EBS volume within exclude. In such a scenario, the EBS volume that is part of EC2 will not be excluded from the backup.
  • When multiple tags are defined as part of include/exclude, this translates to an ‘AND’ condition.



Find Resource types

Select the Resource Type, for example, EBS Volume, EC2, RDS, or Redshift.
You may select All resource types to filter resources across resource types.

In account

Select the CloudRanger account associated with the AWS resources to be specified.
You may select All accounts to identify resources across accounts.

And in region

Select the applicable AWS regions, or select All regions.


Select the match criteria by Resource IDs, Tags, VPC IDs, Subnet IDs, or select All resources.
Based upon the Match selected, you will need to specify the criteria values appropriate to that criteria.
For example:
Tags: Backup Type; Values: Daily
VPC IDs: Select by VPC IDs or VPC Name

  • Similarly, on Exclude Resources, click Add to identify specific resources that you wish to exclude from the backup.
  • The resources identified are then displayed under Include or Exclude Resources, based on your selection criteria.
  • Click the Resource count to view the list of resources that are filtered using the Include or Exclude criteria:

  • The Resources page displays the list of resources categorized by Resource ID, Type, Region, and by Account. You may use the search or filter feature to locate specific resources by Resource Type or Region.

Note: Use the Download as CSV option to download the list of resources identified by the rule as a CSV file.


Note: If the Resource Rule applied filters duplicate resources, the duplicate rule will be displayed with a Icon.png icon on the management console. You can still create rules that identify duplicate resources, but these will be flagged and you may choose to edit the rule, as appropriate.

  • To eliminate a specific resource in the list from your backup policy, select the checkbox against that resource and click Remove.

  • Click Save & Continue.
Step 5: Specify the criteria for any additional backup Copies

Note: Cross-region and cross-account backups are not supported for Redshift instances.

  • Select the Save extra copies to other regions checkbox to create additional copies of your AWS backups in multiple regions.
    You may specify up to two additional AWS regions to create copies in.
  • Select the Save an extra copy to another account checkbox to create additional copies of your AWS backups in another CloudRanger account.

Note: The Backup Copy Encryption is applicable only if one or more resources included in the policy is encrypted, and a backup is to be generated. If the source resource is encrypted, then an Encryption Key is applied to the backup operation.

The Backup Copy Encryption options are displayed only when a cross-region or cross-account backup is to be generated for encrypted snapshots.

  • To backup encrypted resources, you will need to define the association of keys between the source and the target regions for that backup.
    To do this, select the Target Key for each target region specified.

  • Under Resource Backup Options, you have the option to create backups of EC2 resources as AMIs or as snapshots. In the case of AMIs, you may also select your reboot preferences. 
  • Click Save & Continue.
Step 6: Specify the backup Retention criteria.

Specify the Retention criteria. The standard retention options are pre-populated and you may modify based on your business requirements.

Note: Druva CloudRanger follows the Grandfather-Father-Son (GFS) retention model. For more information on retention, please see About Retention for Backup Policies.



Tiered Retention

Select this option to specify the criteria for tiered retention of backups.

  • All backups retained for: Select the retention duration in hours, days, weeks, months, or years.
  • Select the retention criteria for Weekly, Monthly, or Yearly Backups.

You can choose to modify the default retention duration that is pre-populated.

Never delete

[Optional] Select this option to retain snapshots indefinitely.

Archive to S3  
Move backups to S3

Select the checkbox and specify the Storage Class to which the backup is to be transitioned as well as the retention period.
Example: Move weekly, monthly, and yearly backups to Glacier after 3 weeks.

Note: The storage class policy settings specified here will override any policy-based retention when moving a snapshot with an associated backup policy
Store backups in

Select the Druva CloudRanger account and AWS region to which the backup is to be archived.

EC2 and EBS snapshot retention

You may also specify the snapshot retention criteria. This retention applies to snapshots retained within your AWS environment.

A master snapshot will still be retained, irrespective of the retention set here.

Note: Backups on Druva Cloud. will adhere to the retention set at the policy level. 

Copy Options

Specify the retention criteria for the additional backup copies.

  • Select Same retention as source backup to retain the retention criteria.
  • Alternatively, you may specify the retention in hours, days, weeks, months, or years.

Enable Data Lock

Set the toggle to enable snapshot immutability, that is the accidental or malicious deletion of snapshots. Once enabled,  Data Lock is applied to all snapshots protected by the backup policy. For more information, see Data Lock.

Step 7: Specify Additional Options for the backup.

Select the Execute VSS Consistent Scripts (Windows Only) checkbox to generate consistent snapshots for any Windows server with VSS installed.

Note: If the selected Backup Policy has servers defined that do not have VSS installed, then a standard AWS EBS snapshot is generated. For more information, please see Generate VSS consistent snapshots for Windows servers.
  • Script Execution: The pre- and post-backup scripts feature offers enterprises the option to generate application-consistent snapshots for common applications like SQL Server. This ensures that the point-in-time snapshots will remain crash-consistent as well as application-consistent.
    • Select the Execute pre- and post-scripts for EC2 instances checkbox to enable script execution when creating a new backup policy.
      In addition, you can manage backup generation in the event that the scripts configured are unavailable.
    • Define the time limit to terminate script execution.
      For exampleAbort script execution in 5 minutes
    • Select the backup execution criteria if the script is unavailable.
      • Execute backup without the script: Selecting this option will execute the backup without the configured script.
      • Attempt backup execution with warning: Selecting this option will initiate the backup but fail it at the point of execution of script.
      • Fail the backup and generate an error: Selecting this option fails the backup and generates an error corresponding to the backup failure.

Note: You may configure scripts to specific resources from the main Scripts page. For more information, see Configure and Manage Backup Scripts.

  • Under AMI Options specify whether the policy should generate an AMI or a Snapshot.
    • Create a second 'root volume only' AMI with each backup: Enable this option to create a second AMI for all EC2 instances backed up by the policy, with the Block Device Mappings adjusted to only contain the root volume.

      Root AMI.png

      Note: This option is available only when AMI is selected from on the AMI Options drop-down, flagging this as an AMI policy.

      • The backup retention, file-level search, as well as Druva Cloud backup workflow will all function for this second AMI, as expected.
      • The second AMI is handled by the same job, and will begin to execute once the first AMI is generated. Both the AMIs will not be created simultaneously to prevent extra load on the instance.

        Root AMI Jobs.png
  • Under Add Tags to Backups specify the tags to be applied to each backup generated by the policy. Tags act as metadata to help identify and organize your AWS resources. Based on the Key selected, you will need to specify the appropriate Value. For example:
    Key: Created by Policy; Value: New
    Key: Origin; Value: Specify Origin ID
  • Select the Inherit tags from Source checkbox to inherit or retrieve tags from the Origin servers and apply them to backups generated by the policy.
  • Click Save.
Note: To manage tags on existing snapshots, please refer to AWS Management Console - Tag Editor.

The backup policy is now successfully defined and is displayed on the main Backup Policies page with the State toggle set to Active.

Modify backup policy state

You can choose to set a backup policy to Active or Disable it. When a new Backup Policy is defined, the State toggle is set to Active by default.

Note: Disabling a policy suspends all associated activities including backup retention and cleanup.

To modify the state of the backup policy, click the State toggle icon against the backup policy.