AWS Backup — Tag-based Resource Filtering Not Working as Expected

[vaibhavrajchauhan-crx]

AWS Backup: Restricting Backups by Service and Tags

I’m setting up AWS Backup to take service-specific backups, where each AWS service (S3, EC2, RDS, DDB, EBS) has its own backup plan and vault.

---

🎯 Goal

Each backup plan should only back up resources that:

• Belong to a specific service, and

• Have specific tags

Example:

Backup Plan	Tags to Match	Expected Resource Type
s3-backup-plan	BACKUP=DAILY, RESOURCE=S3	Only S3 Buckets

---

🧩 What I’ve Tried

1. Resource ARN–based Selection

• Added only S3 ARNs with tag BACKUP=DAILY

• Result: AWS Backup still backed up all resources (EC2, RDS, etc.) that shared the same tag.

---

2. Tag-based Selection (No ARNs)

• Removed ARNs and used tag filters only:

  BACKUP=DAILY
  RESOURCE=S3
  

• Result: AWS Backup still included all resources with the BACKUP=DAILY tag, regardless of type.

---

📄 AWS Documentation Statement

“Filter resources by tags. For multiple tags, resources will only be assigned to the backup plan if they satisfy all tag conditions.”

Even though all tag conditions are satisfied, AWS Backup does not seem to limit selection by service type, leading to cross-service backups.

---

⚠️ Current Issue

Even with multiple tag filters applied, AWS Backup is including all tagged resources (across EC2, S3, RDS, etc.) in every plan — causing duplicate backups across multiple vaults.

---

❓Question

How can I configure AWS Backup so that:

1. Each backup plan is restricted to a specific service (e.g., only S3), and

2. Only backs up resources with specific tags (like BACKUP=DAILY, RESOURCE=S3)?

Is there a correct or recommended way to limit backups by both service type and tags?