Multi-account backup copy in AWS

Updated: Aug 30

In the previous post about the Landing Zone solution we checked what AWS Backup Policy is and how we can centrally manage AWS Backup service across multiple AWS accounts. Backups were created in the same account and region with the target resource, but what can we do if we need to copy backups to another account for security reasons or to the different AWS region for disaster recovery purposes? In this post we will take a look at different ways and limitations of backups copying. Examples and recommendations are based on the many projects implemented by Automat-IT.


Copying backups to a different AWS account

First of all it worth mentioning that AWS Backup started supporting DocumentDB and Neptune on 8 November 2021 and we will check it:


As a prerequisite you have to create a backup vault in your destination account. You must use vaults other than your default vaults to perform cross-account backup. Then, you assign a customer managed key to encrypt backups in the destination account, and a resource-based access policy to allow AWS Backup to access the resources you would like to copy. The following CloudFormation template can be used:

AWSTemplateFormatVersion: 2010-09-09
Description: This template creates backup vault required for the cross-account backup and cross-Region copy using AWS Backup

Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: AWS Backup Configuration
        Parameters:
          - vaultname
          - organizationid
          - sourceaccountid
    ParameterLabels:
      vaultname:
        default: Backup vault name
      organizationid:
        default: Enter your AWS organizations ID
      sourceaccountid:
        default: Enter the AWS account ID for your source backup account

Parameters:
  Vaultname:
    Type: String
  organizationid:
    Type: String
  sourceaccountid:
    Type: String

Resources:
  cabKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: A symmetric CMK
      KeyPolicy:
        Version: 2012-10-17
        Id: cab-kms-key
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'
          - Sid: Allow use of the key
            Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${yoursourceaccountid}:root'
                - yoursourceaccountid: !Ref sourceaccountid
            Action:
              - 'kms:DescribeKey'
              - 'kms:Encrypt'
              - 'kms:Decrypt'
              - 'kms:ReEncrypt*'
              - 'kms:GenerateDataKey'
              - 'kms:GenerateDataKeyWithoutPlaintext'
            Resource: '*'
          - Sid: Allow attachment of persistent resources
            Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${yoursourceaccountid}:root'
                - yoursourceaccountid: !Ref sourceaccountid
            Action:
              - 'kms:CreateGrant'
              - 'kms:ListGrants'
              - 'kms:RevokeGrant'
            Resource: '*'
            Condition:
              Bool:
                'kms:GrantIsForAWSResource': true
  cabvault:
    Type: 'AWS::Backup::BackupVault'
    Properties:
      AccessPolicy:
        Version: 2012-10-17
        Statement:
          - Sid: Enable backup vault access
            Effect: Allow
            Action: 'backup:CopyIntoBackupVault'
            Resource: '*'
            Principal: '*'
            Condition:
              StringEquals:
                'aws:PrincipalOrgID': !Ref organizationid
      BackupVaultName: !Ref vaultname
      EncryptionKeyArn: !GetAtt 
        - cabKey
        - Arn

Outputs:
  cabvault:
    Value: !Ref cabvault
  cabKey:
    Value: !Ref cabKey

For all services except Amazon EFS, cross-account backup only supports customer managed keys. It does not support vaults that are encrypted using AWS keys, including default vaults, because AWS keys are not intended to be shared between accounts. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. Resources encrypted with AWS Managed key can not be copied:


You can then create a backup plan and choose a destination account that is part of your organizational unit in AWS Organizations.

Full backup policy looks like the following:

{
  "plans": {
    "backup": {
      "regions": {
        "@@assign": [
"ap-southeast-2"
        ]
      },
      "rules": {
        "backup": {
          "schedule_expression": {
            "@@assign": "cron(10 14 ? * * *)"
          },
          "start_backup_window_minutes": {
            "@@assign": "60"
          },
          "complete_backup_window_minutes": {
            "@@assign": "120"
          },
          "lifecycle": {
            "delete_after_days": {
              "@@assign": "30"
            }
          },
          "target_backup_vault_name": {
            "@@assign": "Default"
          },
          "recovery_point_tags": {
            "Name": {
              "tag_key": {
                "@@assign": "Name"
              },
              "tag_value": {
                "@@assign": "BackupOrg"
              }
            }
          },
          "copy_actions": {
            "arn:aws:backup:ap-southeast-2:5**********9:backup-vault:cabvault": {
              "target_backup_vault_arn": {
                "@@assign": "arn:aws:backup:ap-southeast-2:5**********9:backup-vault:cabvault"
              },
              "lifecycle": {}
            }
          }
        }
      },
      "backup_plan_tags": {
        "Name": {
          "tag_key": {
            "@@assign": "Name"
          },
          "tag_value": {
            "@@assign": "Backup"
          }
        }
      },
      "selections": {
        "tags": {
          "backup": {
            "iam_role_arn": {
              "@@assign": "arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole"
            },
            "tag_key": {
              "@@assign": "Backup"
            },
            "tag_value": {
              "@@assign": [
"true"
              ]
            }
          }
        }
      },
      "advanced_backup_settings": {
        "ec2": {
          "windows_vss": {
            "@@assign": "disabled"
          }
        }
      }
    }
  }
}

When a backup jobs are executed by defined schedule you will see them in the AWS Backup console:


In the next tab you can see copy jobs:


And in the AWS Backup console of destination account you will see snapshots:


Make sure that your RDS, Aurora and DocumentDB automated backup window is different with AWS Backup plan window, otherwise you can get an error message:


One more limitation is that Amazon RDS, Aurora, DocumentDB and Neptune support cross-Region backup, or cross-account backup, but not both in the same backup plan. You can use an AWS Lambda script to accomplish both. Also, copying Amazon RDS custom option groups across AWS Regions is not supported.


Amazon EC2 does not allow cross-account copies of AWS Marketplace AMIs.


DynamoDB did not support cross-account backup until November 2021. Advanced DynamoDB backup appeared on November 24 2021. To use these enhanced backup features, you simply need to opt-in to have AWS Backup manage your DynamoDB backups via AWS Management Console or AWS Backup APIs.