RMAN on AWS: The Two Deployment Patterns
Oracle on AWS comes in two shapes: self-managed on EC2, or RDS for Oracle. The backup strategy for each is very different, even though the underlying database engine is the same. The confusion between the two patterns is where most Oracle-on-AWS backup architectures go wrong.
On EC2, you own everything — RMAN configuration, backup destinations, encryption, catalog management, archival, and retention. RMAN is the primary tool. This is the pattern most enterprises migrating existing on-prem Oracle workloads end up with, because it preserves the operational model they already know.
On RDS for Oracle, AWS manages the snapshot-based backup. RMAN is still available, but with constraints: you cannot write directly to local file systems, and cross-region/cross-account backup requires specific patterns through S3 integration. Most teams end up running a hybrid — RDS automated snapshots for day-to-day restore, plus scheduled RMAN exports to S3 for longer retention and logical copies.
Pattern 1: EC2 Oracle + S3 Backup Destination
For self-managed Oracle on EC2, S3 is the correct backup destination for anything longer than a week of retention. Local EBS for the most recent backups; S3 for everything older.
The Architecture
- Level 0 (full) backup runs weekly to local EBS, then copied to S3 Standard
- Level 1 incremental runs daily to local EBS, copied to S3 Standard
- Archive logs ship to S3 continuously (every 15 minutes or on switch)
- After 7 days, backups transition to S3 Standard-IA via lifecycle policy
- After 30 days, transition to S3 Glacier Instant Retrieval
- After 90 days, transition to S3 Glacier Flexible Retrieval for long-term compliance retention
Why Not Write RMAN Directly to S3 with Cloud Backup Module?
Oracle's Cloud Backup Module supports writing RMAN output directly to object storage. It works — but in AWS, the network throughput and latency characteristics of direct-to-S3 writes are not ideal for large-VLDB backups. The pattern we use is: write RMAN to local EBS (throughput predictable), then asynchronously copy to S3 via aws s3 cp or sync with high concurrency. Separates the backup window from the upload window.
For databases under 2 TB, direct-to-S3 via Cloud Backup Module is fine. Above that, the two-stage pattern reduces backup window risk.
Incremental Merge (Incrementally Updated Backups)
The most underused RMAN feature on AWS: incrementally updated backups. Instead of keeping separate Level 0 and Level 1 files, you apply the incremental into the image copy nightly. Your "current backup" is always effectively a fresh Level 0, with the recovery time reduced to archive-log replay since the last merge.
Combined with S3 lifecycle rules, this keeps the hot backup footprint small while maintaining full restore speed.
Watch the egress cost on restore. S3 storage is cheap; restore traffic from S3 to EC2 within the same region is free. Restore traffic across regions is not. Plan your DR region restore path explicitly — know what a full restore will cost before you need to do one in a real incident.
Pattern 2: RDS for Oracle + RMAN Exports to S3
RDS for Oracle's automated snapshots cover most operational restore scenarios. The limitation is retention — snapshots max out at 35 days, and cross-region snapshot copy is a separate workflow with its own cost.
For anything beyond 35 days — compliance retention, logical restore of a prior month, long-term archive — RMAN exports to S3 are the answer.
The RDS S3 Integration Option
RDS for Oracle supports an S3 integration option that lets you run RMAN backup commands that write directly to S3 via the rdsadmin package. The syntax looks like a normal RMAN backup, but with an S3 destination. This is the mechanism for all long-retention backups off an RDS instance.
What We Typically Configure
- RDS automated snapshots: 7–14 days retention (operational restore)
- RDS manual snapshots: taken before major changes, retained 90 days
- RMAN level 0 backup to S3 weekly (point-in-time archive)
- RMAN archive log export to S3 every 4 hours (for PITR outside the automated snapshot window)
- S3 lifecycle policy transitions backups through storage tiers identical to the EC2 pattern
Cross-Region DR Strategy
S3 Cross-Region Replication is the cleanest mechanism for maintaining backup copies in a DR region. Replication is asynchronous, triggered by S3 PUT events, and encrypted in transit.
For RTO requirements under 4 hours on a multi-TB Oracle database, S3 CRR alone is not sufficient — you also want a standby database (Oracle Data Guard or AWS DMS for logical replication) in the DR region. S3 backups are the tertiary protection layer, not the primary DR mechanism.
For RTO requirements of 8+ hours, S3 CRR alone plus periodic test restores in the DR region is an acceptable strategy at meaningfully lower cost than running a standby.
Encryption and Audit Requirements
RMAN backups should be encrypted in transit and at rest. On AWS:
- At rest: S3 server-side encryption with KMS (SSE-KMS), using a customer-managed key, not the AWS-managed default
- In transit: TLS for all RMAN-to-S3 traffic (default when using the SDK)
- Optionally: RMAN-native encryption using Oracle's Transparent Data Encryption (TDE) or RMAN backup encryption with a wallet, for defense in depth
- Bucket policies restricting access by VPC endpoint and IAM role — never public read
- CloudTrail logging all S3 access to the backup bucket, with a separate log archive account for the audit trail
For regulated workloads (PCI, HIPAA, SOC 2), the customer-managed KMS key is non-negotiable. Auditors will ask who has decrypt permissions and how that's logged.
Cost Math for a Representative Workload
1 TB production Oracle database, 35 days of daily incremental backups + 7 weekly L0, plus 2 years of monthly archives for compliance:
- S3 Standard (hot): ~1.5 TB at $0.023/GB = $35/month
- S3 Standard-IA (warm): ~3 TB at $0.0125/GB = $38/month
- S3 Glacier Instant Retrieval: ~8 TB at $0.004/GB = $33/month
- S3 Glacier Flexible Retrieval (compliance archive): ~20 TB at $0.0036/GB = $74/month
- KMS key usage: ~$5/month
- Total: ~$185/month for comprehensive, compliant, multi-tier Oracle backup
Compared to an on-premises tape infrastructure, or a third-party backup-as-a-service platform charging per-GB protected, this is often 60–80% cheaper at equal or better durability.
What to Check if Your Current Strategy is Older Than 2 Years
Oracle-on-AWS backup patterns that were reasonable in 2022 are often inefficient in 2026. Three things to verify:
1. Are you still using Intelligent-Tiering or explicit lifecycle rules? Explicit rules with known transition dates are usually cheaper for predictable backup workloads.
2. Are archive logs shipping to S3 at the right cadence? Every 15 minutes is overkill for most workloads and burns PUT request cost. Every hour or on-switch is usually sufficient.
3. When was the last real test restore? The backup strategy is not proven until you've restored from it. Quarterly test restore is the minimum, annual for low-change workloads. If nobody on the team remembers the last successful test restore, you have a problem.
The Bottom Line
Oracle RMAN on AWS is a mature, well-understood pattern when configured correctly. The combination of local EBS for backup window speed, S3 for durability and cost, lifecycle rules for tiering, and KMS for encryption gives you a backup architecture that is simultaneously faster, cheaper, and more compliant than the on-prem infrastructure most companies migrated from.
The mistakes are almost always the same: not testing restore, not using lifecycle policies, using the wrong backup destination for database size, or not separating the backup window from the upload window.
Review your Oracle backup strategy?
We'll audit your current RMAN + S3 setup, model the cost/RTO tradeoffs, and return a concrete remediation plan in 5–7 business days.