S3 Cross-Region Replication vs AWS Backup: Which One to Use

The Question Every AWS Engineer Eventually Faces

Your manager asks: “Are we protected if an AWS region goes down?”

The honest answer depends entirely on which data protection strategy is actually in place. Two options come up in almost every conversation: S3 Cross-Region Replication (CRR) and AWS Backup. They sound similar. They do very different things.

Choosing the wrong one — or using both unnecessarily — costs money and creates false confidence. This guide breaks down what each service actually does, when to use each, and how to configure them correctly.

Multi-region data protection requires understanding what each AWS service actually protects against

What S3 Cross-Region Replication Actually Does

S3 Cross-Region Replication copies objects from a source bucket in one region to a destination bucket in a different region — automatically, as objects are written. New objects uploaded to the source bucket appear in the destination bucket within seconds to minutes.

Key behaviors to understand:

CRR is a sync, not a backup. If an object is deleted in the source bucket, the deletion is replicated to the destination. If an object is overwritten, the overwrite is replicated. CRR protects against regional unavailability — not against accidental deletion or data corruption.

CRR is one-way by default. Objects flow from source to destination. Two-way replication requires two separate replication rules. For most DR use cases, one-way is correct.

Existing objects are not replicated automatically. CRR only replicates objects uploaded after the replication rule is created. To replicate existing objects, use S3 Batch Operations separately.

CRR works across accounts. You can replicate to a destination bucket owned by a different AWS account — useful for separating production and backup accounts.

When CRR Is the Right Choice

Use S3 Cross-Region Replication when:

• You need data available immediately in a secondary region during a regional outage
• Your RTO (Recovery Time Objective) is measured in minutes, not hours
• You are serving content to users in multiple geographic regions and want low-latency reads from a regional bucket
• You need a real-time copy for regulatory compliance that requires geographic separation

The disaster recovery scenario from the AWS region outage migration guide is a perfect example: S3 CRR was the only reason a full platform migration was possible in under 48 hours. The replicated content was already in us-east-1 before the outage started.

Configuring S3 Cross-Region Replication

# Enable versioning on source bucket (required for CRR)
aws s3api put-bucket-versioning \
  --bucket source-bucket-name \
  --versioning-configuration Status=Enabled

# Enable versioning on destination bucket
aws s3api put-bucket-versioning \
  --bucket dest-bucket-name-us-east-1 \
  --versioning-configuration Status=Enabled

# Create replication configuration
aws s3api put-bucket-replication \
  --bucket source-bucket-name \
  --replication-configuration file://replication-config.json

replication-config.json:

{
  "Role": "arn:aws:iam::ACCOUNT_ID:role/s3-replication-role",
  "Rules": [
    {
      "ID": "replicate-all-objects",
      "Status": "Enabled",
      "Prefix": "",
      "Destination": {
        "Bucket": "arn:aws:s3:::dest-bucket-name-us-east-1",
        "StorageClass": "STANDARD"
      }
    }
  ]
}

The IAM role needs s3:ReplicateObject, s3:ReplicateDelete, and s3:GetObjectVersionForReplication permissions.

Cost: Replication adds a per-request charge ($0.005 per 1,000 requests) plus standard S3 storage costs in the destination region. For most workloads, the cost is modest relative to the protection provided.

What AWS Backup Actually Does

AWS Backup is a centralized backup service that creates point-in-time snapshots across multiple AWS services — S3, RDS, DynamoDB, EBS, EFS, and others. Unlike CRR, AWS Backup creates independent copies that can be restored to any point within the retention window.

Key behaviors:

AWS Backup is a backup, not a sync. A backup taken at 2:00 AM contains the state of the resource at that exact time. If data is deleted or corrupted after the backup, you can restore to the previous state.

Retention policies are configurable. Keep 7 daily backups, 4 weekly, 12 monthly — or any retention schedule that matches compliance requirements.

Cross-region and cross-account copies are supported. A backup policy can copy snapshots to a secondary region automatically, providing both point-in-time recovery and regional redundancy for snapshots.

It covers more than S3. AWS Backup centralizes protection for RDS databases, DynamoDB tables, EBS volumes, and more — all from one service with unified policy management.

When AWS Backup Is the Right Choice

Use AWS Backup when:

• You need protection against accidental deletion or data corruption
• Compliance requires point-in-time recovery with defined retention periods
• You need to protect non-S3 resources (RDS, DynamoDB, EBS) under one policy
• Your RPO (Recovery Point Objective) allows for some data loss (hourly, daily backups)

AWS Backup is the right answer when the threat is operational error, not regional failure. A developer accidentally drops a table. An application bug corrupts a batch of records. An attacker with write access deletes objects. In all these cases, CRR is useless — the error is replicated along with the data. A backup from before the incident is the only recovery path.

Configuring AWS Backup for S3

# Create a backup plan
aws backup create-backup-plan \
  --backup-plan '{
    "BackupPlanName": "s3-daily-backup",
    "Rules": [
      {
        "RuleName": "daily-s3-backup",
        "TargetBackupVaultName": "Default",
        "ScheduleExpression": "cron(0 2 * * ? *)",
        "StartWindowMinutes": 60,
        "CompletionWindowMinutes": 180,
        "Lifecycle": {
          "DeleteAfterDays": 30
        },
        "CopyActions": [
          {
            "DestinationBackupVaultArn": "arn:aws:backup:us-east-1:ACCOUNT_ID:backup-vault:Default",
            "Lifecycle": {
              "DeleteAfterDays": 90
            }
          }
        ]
      }
    ]
  }'

This creates daily S3 backups at 2:00 AM UTC, retains them for 30 days locally and 90 days in the cross-region copy.

AWS Backup provides point-in-time recovery — essential protection that CRR alone cannot provide

Side-by-Side Comparison

Feature	S3 Cross-Region Replication	AWS Backup
Protection against	Regional outage	Deletion, corruption, operational error
Recovery point	Real-time (seconds to minutes lag)	Last backup (hourly/daily)
Recovery time	Immediate — data already in target region	Minutes to hours for restore
Deletion replication	Yes — deletions replicate	No — backup preserved independently
Point-in-time recovery	No	Yes
Covers RDS, DynamoDB, EBS	No (S3 only)	Yes
Cost model	Per-request + storage	Per GB backed up + storage
Best for	DR, low RTO	Compliance, accidental deletion protection

Which One Should You Use?

The correct answer for most production workloads: both, for different reasons.

Use CRR for:

• Static assets, media files, course content, user uploads that need to be immediately available in a DR region
• Any S3 bucket that is on the critical path for application recovery

Use AWS Backup for:

• Databases (RDS, DynamoDB) — CRR does not cover these
• Compliance retention requirements (30, 90, 365 days)
• Protection against the operational errors that CRR makes worse

A practical tiered approach for a production platform:

1. Enable CRR on all business-critical S3 buckets — these must be available immediately during DR
2. Configure AWS Backup with 30-day retention for S3, RDS, DynamoDB
3. Set up cross-region backup copies for RDS and DynamoDB to the secondary region
4. Test restoration quarterly — a backup that has never been tested is an assumption, not a guarantee

Running a cost audit before setting up replication is worthwhile — unnecessary replication of infrequently accessed data adds up. Check 7 hidden AWS resources that drain budgets for what else to look at during the same review.

Key Takeaways

• CRR and AWS Backup solve different problems — using one does not replace the other
• CRR protects against regional unavailability; AWS Backup protects against deletion and corruption
• CRR only works on new objects — replicate existing objects separately with S3 Batch Operations
• AWS Backup is the centralized solution for non-S3 resources (RDS, DynamoDB, EBS)
• Test restore procedures — a backup that has never been tested provides false confidence

FAQ

Does S3 CRR replicate delete markers?

By default, delete markers are not replicated by CRR. This can be changed with the DeleteMarkerReplication setting in the replication configuration. For most DR use cases, not replicating deletes is the safer default — it means accidental deletions in the source do not cascade to the replica.

Can I use CRR and AWS Backup together on the same bucket?

Yes. This is the recommended approach for critical data. CRR gives you immediate availability in a secondary region for DR. AWS Backup gives you point-in-time recovery against operational errors. They are complementary, not redundant.

What is the cost difference between CRR and AWS Backup?

CRR cost: replication requests ($0.005/1,000 requests) plus storage in the destination region. AWS Backup cost: $0.05/GB/month for warm storage, $0.01/GB/month for cold storage. For large buckets with infrequently changed data, CRR is often cheaper. For small buckets with frequent changes, AWS Backup may cost less. Run the numbers for your specific usage pattern.

How long does S3 CRR take to replicate objects?

Most objects replicate within 15 minutes. For time-sensitive replication, enable S3 Replication Time Control (RTC), which guarantees 99.99% of objects replicate within 15 minutes and includes a CloudWatch metric for replication latency. RTC adds cost but provides SLA guarantees.

What happens to CRR if the destination bucket is unavailable?

CRR queues replication events during destination unavailability and retries automatically. If the destination is down during an event like a regional outage, the replication queue may grow, but objects are not lost. Once the destination is available again, replication resumes from where it stopped.

Conclusion

S3 Cross-Region Replication and AWS Backup are both essential tools — but they are not interchangeable. CRR is your real-time DR copy for regional failover. AWS Backup is your safety net against the operational errors that are far more common than regional outages.

Enable both. Know what each protects against. Test your restore procedures before you need them.

Read next: AWS Region Outage: Complete Emergency Migration Guide →

Need help designing a data protection strategy for your AWS infrastructure? View our DR planning service →