Article

Backup Retention Policy: What to Keep, How Long, and Where

Building a backup retention policy that survives cloud drift, compliance audits, and ransomware recovery comes down to how you set, enforce, and audit it.

Team Eon
Written by
Team Eon
Last updated: 
Jun 30, 2026
0
 min read

Quick Summary

  • Set retention by tiering policies to data class, compliance scope, and recovery requirements, not by applying one default to everything.
  • Enforce retention with automated discovery, classification, and policy assignment so new resources never ship without coverage.
  • Audit retention by tracking which resources are protected, which rules are enforced, and which workloads have drifted from policy.
  • Most retention failures trace back to drift and over-retention, not missing policies. Automation and visibility close that gap.

Most teams have a backup retention policy on paper, but it falls out of sync the moment new accounts, databases, and buckets appear faster than anyone updates the rules.

What is a backup retention policy?

A backup retention policy is an organizational rule that defines which backup data to keep, how long to keep it, where to store it, and when to delete it. It determines the number of backup versions retained, the storage tier for each version, and the conditions under which backups are purged or promoted to long-term archive.

The policy connects three concerns that teams often manage separately: recovery readiness (can we restore what we need?), compliance (can we prove what we kept and when?), and cost control (are we paying for backups we no longer need?).

Why do backup retention policies break at cloud scale?

On-prem, a retention policy covered a known set of servers and storage arrays. The environment changed slowly. A quarterly review could catch most drift.

In the cloud, the environment changes daily. Teams add accounts, provision managed databases, launch containers, and create storage buckets across regions. 

Eon's State of Cloud Backup 2025 report found that 51% of organizations still rely on manual or semi-automated backup processes, and one in five organizations use multiple backup tools, leading to policy drift and operational inefficiency.

Here are the failure patterns we see most often:

  • Retention drift across accounts and teams: A fix applied in one region does not propagate to the others, so the audit clears where it was patched while the rest stays exposed.
  • Over-retention inflating costs: Snapshots set to “forever” pile up untouched. One Eon customer found a non-critical workload on over 10,000 unknown snapshots; right-sizing saved tens of thousands of dollars.
  • Under-retention creating recovery gaps: A 7-14 day default is fine for dev, but when the window is shorter than your threat-detection window, the clean recovery points are gone before you reach for them.
  • No visibility into what retention rules actually apply: Even with policies on paper, teams often cannot say which rules are actually enforced or which workloads have drifted, so retention runs on guesswork.

What should a backup retention policy include?

A complete backup retention policy covers six elements. Miss one and the gap surfaces during an incident or audit.

  • Data scope and classification: which data types, workloads, and environments the policy covers, since you can't set retention without knowing what you're retaining and why.
  • Retention periods by tier: how long each data class is kept, so cost tracks risk instead of paying to keep everything for the same length of time.
  • Storage location and separation: where backup copies live and how they're isolated, because retention means nothing if the backup is reachable through the same credentials as production.
  • Immutability windows: how long a copy can't be changed or deleted, even by an administrator, which is what protects backups against ransomware, insider threats, and accidental deletion.
  • Access controls and audit trail: who can view, restore, modify, or delete backups and how those actions are logged, since compliance frameworks require proof of who touched backup data and when.
  • Review and enforcement cadence: how often the policy is reviewed, who owns it, and how enforcement is automated, because unreviewed policies drift and unautomated ones fail.

How do you set the right retention periods?

Retention periods should be driven by three inputs. These include recovery requirements, compliance mandates, and cost constraints. Starting from any one input alone produces a policy that fails the other two.

Recovery requirements come first

Define your recovery point objective (RPO) and recovery time objective (RTO) for each workload. Then work backward:

  • If your RPO is 1 hour, you need hourly backups.
  • If corruption can go undetected for 30 days, your retention window must be longer than 30 days.
  • If ransomware dwell time averages 10–21 days in your environment, your immutability window must cover that period. CISA's LockBit advisory recommends that backup data be encrypted, immutable, and cover the organization's entire data infrastructure.

Compliance sets the floor

Different regulatory frameworks impose different minimum retention periods, and most organizations fall under more than one:

  • HIPAA: 6 years for required compliance documentation. Patient records follow state law, often 7 to 10 years.
  • SOX (Sarbanes-Oxley): 7 years for financial records and audit documentation.
  • GDPR: no fixed period, but data can't be kept longer than necessary for its stated purpose.
  • PCI-DSS: 1 year minimum for audit logs, and card data retention varies by use case.
  • SOC 2: periods are set by the organization, but they must be documented and enforced.

GDPR creates a specific tension with backup retention. The regulation's "right to erasure" conflicts with backup copies that may contain the same personal data. Your policy needs to address how deletion requests are handled when the data exists in immutable backup copies with active retention windows.

Cost sets the ceiling

Every retained backup has a storage cost. EBS snapshots run approximately $0.05/GB per month. S3 Standard costs roughly $0.023/GB per month. S3 Glacier Deep Archive drops below $0.001/GB per month. But the tier pricing is only part of the cost.

The bigger issue is redundancy and over-retention. If 100 EC2 instances share 80% of the same underlying data and each is backed up independently with long retention windows, you are storing near-identical copies at full price for the entire retention period.

Eon cuts this cost by storing backup data in deduplicated, compressed Parquet format rather than block-level snapshots. One copy serves all regions. Database maintenance like vacuum operations does not inflate backup size.

The result is 30–50% lower backup storage costs compared to native cloud snapshots. NETGEAR reduced backup storage costs by 35%, and Innago saved 40% after switching to Eon.

What does a practical retention matrix look like?

A retention matrix maps data classes to backup frequency, retention duration, immutability window, and storage tier. This starting framework has worked well across cloud-first teams:

Tier Backup frequency Retention Immutability window Notes
Dev/Test Daily 7–14 days None Expire quickly. Low recovery risk.
Internal Production Daily + weekly 90 days 14–30 days Weekly checkpoints support rollback.
Customer Production (PII) Hourly + daily + weekly 1 year 30–90 days Add cross-region copy.
Financial/Regulated Systems Daily + weekly + monthly 5–7 years 90 days (policy-driven) Vault-style isolation recommended.
Compliance Documentation Weekly Matches regulatory minimum (6–7 years) Full retention period Immutable for the duration.

Your matrix should be customized based on workload behavior, data change rate, regulatory scope, and recovery testing results.

In Eon, policies use conditions and rules. Conditions decide which resources the policy applies to (based on data class, environment, resource metadata, and policy conditions). Rules define backup frequency, retention period, and vault destination. 

When a new resource appears that matches the conditions, the policy applies automatically without anyone needing to tag it or write a new rule.

How do you implement a backup retention policy in 7 steps?

We've broken this into the sequence that works for cloud teams managing multiple accounts, regions, and data classes. Each step builds on the one before it, so the order is deliberate. 

1. Inventory data sources, accounts, and regions

Map every database, file system, object store, VM, container workload, and managed service across all accounts and regions, and flag what already has coverage. Catalog secondary copies too (snapshots, replicas, cross-region copies, exports), since one regulated record often lives in several.

2. Classify data by business value and risk

Group workloads into the retention tiers from the matrix above; that classification drives every downstream choice. Manual tagging breaks at scale, which is where Eon’s Cloud Backup Posture Management (CBPM) classifies resources by content (PII, PHI, financial) and applies the matching policy automatically.

3. Define retention periods and immutability windows

As outlined in the six-element framework and matrix above, map each data class to a retention period, immutability window, and storage location. Set the immutability window against real threat dwell time: 30 days for fast-caught attacks, 90 for slower compromises.

4. Automate policy enforcement

Manual retention management does not work at cloud scale. Set org-wide guardrails; "Any production resource must have a minimum 90-day retention and cross-region copy." When resources drift from policy, auto-trigger alerts or tickets.

5. Set access controls and audit logging

Define who can view backups, search backup data, export results, change retention policies, and start restores. Separate these permissions:

  • Data access (who can read backup contents) from key access (who can decrypt).
  • Policy administration (who can change retention rules) from restore execution (who can trigger a restore).
  • Routine access from break-glass access (emergency restore paths).

Log every action. Compliance frameworks require proof of who accessed backup data, when, and what they did. 

6. Test restore paths tied to retention windows

A retention policy is only trustworthy if the retained backups are actually restorable. Test more than one path: full instance, file-level, record-level, cross-region, and restores from the oldest retained backup.

Key questions the test should answer:

  • Can you restore from the oldest backup in each retention tier?
  • Does the restore work after key rotation or access policy changes?
  • Can you restore the specific file, object, table, or record you need without recovering the full environment?

SoFi cut recovery time from a full day to minutes across five AWS regions, while StructuredWeb cut backup retrieval time by 98%.

These results depend on granular restore capability paired with retained backups. Eon's Granular Restoration supports file, object, table, and record-level recovery without rebuilding the full environment.

7. Review, document, and assign ownership

Schedule quarterly reviews of retention policies. Assign clear owners for policy reviews, restore tests, alert handling, and compliance evidence. Document everything.

The policy you write today will not fit your environment a year from now. Accounts change, compliance requirements evolve, workloads get added and retired. Someone needs to own the review cycle and the ongoing enforcement, from day one through every quarterly check.

What are the most common retention policy mistakes?

These are the most common retention policy mistakes, and how to fix them.

Mistake What goes wrong How to fix it
One default policy for everything Dev snapshots retained for years; regulated data retained for days Tier retention by data class, workload, and compliance scope
Setting and forgetting New resources ship without policies; old rules drift out of alignment Automate discovery, classification, and enforcement; review quarterly
Retaining everything forever Storage costs grow without bound; GDPR deletion obligations are violated Set explicit retention periods with automated purge at expiration
No immutability on critical backups Ransomware or insider threats delete or encrypt retained backups Apply immutability windows matched to threat dwell time
Treating retention as proof of recoverability Backups exist but have never been tested; restores fail when needed Test restore paths from each retention tier at least quarterly
Ignoring secondary copies Snapshots, replicas, and exports accumulate outside the retention policy Inventory all copies; apply retention rules to every backup artifact

Where does retention policy fit alongside other controls?

A retention policy is one layer of backup posture and only holds up when the controls around it do.

  • Backup coverage: Retention rules do nothing for a resource that was never backed up, so coverage is the precondition for everything else; 61% of teams report finding protection gaps only after an incident, audit, or failed restore. 
  • Immutability: retention sets how long you keep a copy; immutability sets whether anyone (including an admin or an attacker with valid credentials) can alter or delete it inside that window. A retention window without logically air-gapped immutable copies is only as durable as the weakest credential that can reach it.
  • Backup data access: Retained backups that sit cold are paid-for data doing nothing the other 364 days; open formats let that data also serve analytics and compliance.
  • Cost visibility: Without per-resource cost attribution, over-retention hides inside the aggregate bill, so tie retention spend to team, account, workload, and region before deciding what to trim.

Make retention rules stick at cloud scale

Most teams can't say which of their retention rules are actually enforced without a manual, account-by-account review. That's the gap a backup retention policy alone doesn't close. You need automated discovery, classification, and enforcement to make retention rules stick at cloud scale.

Book a demo to see how Eon's CBPM discovers resources, classifies data, enforces retention policies automatically, and surfaces drift before it becomes a compliance finding or a recovery failure.

Frequently asked questions

What is a backup retention policy?

A backup retention policy is an organizational rule that defines which backup data to keep, how long to retain it, where to store it, and when to delete it. It governs the full lifecycle of backup copies from creation through purge.

How long should you retain backups?

Backup retention depends on data class, compliance requirements, and recovery needs. Dev/test data typically needs 7–14 days. Production data ranges from 90 days to 1 year. Regulated and financial data may require 5–7 years. Start from compliance minimums and recovery requirements, then optimize for cost.

What is the difference between retention and immutability?

Retention defines how long a backup copy is kept before deletion. Immutability defines whether a backup copy can be modified or deleted during its retention window. A backup can have a 1-year retention period with a 90-day immutability window, meaning it is protected from changes for the first 90 days and kept for a full year.

Does GDPR conflict with backup retention?

Yes, GDPR's "right to erasure" can conflict with backup retention windows. If a data subject requests deletion, the data may still exist in immutable backup copies. Your retention policy should document how deletion requests are handled when backup copies are subject to active retention or immutability rules.

How often should you review a backup retention policy?

Review backup retention policies at least quarterly. Review immediately when compliance requirements change, new workloads are added, or the organization's cloud footprint expands to new accounts, regions, or providers. Automated drift detection reduces the manual effort required for each review.

How does Eon help with backup retention policy enforcement?

Eon enforces backup retention policies through Cloud Backup Posture Management(CBPM), which discovers resources, classifies data, applies retention policies without manual tagging, and surfaces drift across AWS, Azure, and Google Cloud. Teams can set org-wide retention guardrails with Backup Posture Controls while allowing team-level flexibility.

FAQ

No items found.
Team Eon
Team Eon
>100% ROI in the first year

SoFi automated multi-region resilience and regulatory alignment across five AWS regions with Eon’s agentless platform, cutting recovery time from a day to minutes and achieving over 100% ROI.

Read case study
88% faster recovery, 35% savings

NETGEAR replaced its legacy backup provider with Eon's cloud-native platform, cutting a 10TB recovery from 24 hours to under three and reducing backup storage costs by 35% in under a week.

Read case study
Backup Retention Policy: What to Keep, How Long, and Where

Turn your backups into usable data

Eon turns your backups into instantly searchable, usable data so you can recover exactly what you need without delays.

  • Instantly search backup data
  • Recover at any level
  • No full restores or downtime
See eon in action
See Eon in Action

Cut backup cost and complexity while adding instant restore and analytics.

See Eon in Action

Cut backup cost and complexity while adding instant restore and analytics.