Shlomi PeretsMulti-account backup copy in AWS
Updated: Aug 30
In the previous post about the Landing Zone solution we checked what AWS Backup Policy is and how we can centrally manage AWS Backup service across multiple AWS accounts. Backups were created in the same account and region with the target resource, but what can we do if we need to copy backups to another account for security reasons or to the different AWS region for disaster recovery purposes? In this post we will take a look at different ways and limitations of backups copying. Examples and recommendations are based on the many projects implemented by Automat-IT.
Copying backups to a different AWS account
First of all it worth mentioning that AWS Backup started supporting DocumentDB and Neptune on 8 November 2021 and we will check it:
As a prerequisite you have to create a backup vault in your destination account. You must use vaults other than your default vaults to perform cross-account backup. Then, you assign a customer managed key to encrypt backups in the destination account, and a resource-based access policy to allow AWS Backup to access the resources you would like to copy. The following CloudFormation template can be used:
AWSTemplateFormatVersion: 2010-09-09
Description: This template creates backup vault required for the cross-account backup and cross-Region copy using AWS Backup
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: AWS Backup Configuration
Parameters:
- vaultname
- organizationid
- sourceaccountid
ParameterLabels:
vaultname:
default: Backup vault name
organizationid:
default: Enter your AWS organizations ID
sourceaccountid:
default: Enter the AWS account ID for your source backup account
Parameters:
Vaultname:
Type: String
organizationid:
Type: String
sourceaccountid:
Type: String
Resources:
cabKey:
Type: 'AWS::KMS::Key'
Properties:
Description: A symmetric CMK
KeyPolicy:
Version: 2012-10-17
Id: cab-kms-key
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: !Sub
- 'arn:aws:iam::${yoursourceaccountid}:root'
- yoursourceaccountid: !Ref sourceaccountid
Action:
- 'kms:DescribeKey'
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey'
- 'kms:GenerateDataKeyWithoutPlaintext'
Resource: '*'
- Sid: Allow attachment of persistent resources
Effect: Allow
Principal:
AWS: !Sub
- 'arn:aws:iam::${yoursourceaccountid}:root'
- yoursourceaccountid: !Ref sourceaccountid
Action:
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:RevokeGrant'
Resource: '*'
Condition:
Bool:
'kms:GrantIsForAWSResource': true
cabvault:
Type: 'AWS::Backup::BackupVault'
Properties:
AccessPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable backup vault access
Effect: Allow
Action: 'backup:CopyIntoBackupVault'
Resource: '*'
Principal: '*'
Condition:
StringEquals:
'aws:PrincipalOrgID': !Ref organizationid
BackupVaultName: !Ref vaultname
EncryptionKeyArn: !GetAtt
- cabKey
- Arn
Outputs:
cabvault:
Value: !Ref cabvault
cabKey:
Value: !Ref cabKeyFor all services except Amazon EFS, cross-account backup only supports customer managed keys. It does not support vaults that are encrypted using AWS keys, including default vaults, because AWS keys are not intended to be shared between accounts. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. Resources encrypted with AWS Managed key can not be copied:
You can then create a backup plan and choose a destination account that is part of your organizational unit in AWS Organizations.
Full backup policy looks like the following:
{
"plans": {
"backup": {
"regions": {
"@@assign": [
"ap-southeast-2"
]
},
"rules": {
"backup": {
"schedule_expression": {
"@@assign": "cron(10 14 ? * * *)"
},
"start_backup_window_minutes": {
"@@assign": "60"
},
"complete_backup_window_minutes": {
"@@assign": "120"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "30"
}
},
"target_backup_vault_name": {
"@@assign": "Default"
},
"recovery_point_tags": {
"Name": {
"tag_key": {
"@@assign": "Name"
},
"tag_value": {
"@@assign": "BackupOrg"
}
}
},
"copy_actions": {
"arn:aws:backup:ap-southeast-2:5**********9:backup-vault:cabvault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:ap-southeast-2:5**********9:backup-vault:cabvault"
},
"lifecycle": {}
}
}
}
},
"backup_plan_tags": {
"Name": {
"tag_key": {
"@@assign": "Name"
},
"tag_value": {
"@@assign": "Backup"
}
}
},
"selections": {
"tags": {
"backup": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole"
},
"tag_key": {
"@@assign": "Backup"
},
"tag_value": {
"@@assign": [
"true"
]
}
}
}
},
"advanced_backup_settings": {
"ec2": {
"windows_vss": {
"@@assign": "disabled"
}
}
}
}
}
}When a backup jobs are executed by defined schedule you will see them in the AWS Backup console:
In the next tab you can see copy jobs:
And in the AWS Backup console of destination account you will see snapshots:
Make sure that your RDS, Aurora and DocumentDB automated backup window is different with AWS Backup plan window, otherwise you can get an error message:
One more limitation is that Amazon RDS, Aurora, DocumentDB and Neptune support cross-Region backup, or cross-account backup, but not both in the same backup plan. You can use an AWS Lambda script to accomplish both. Also, copying Amazon RDS custom option groups across AWS Regions is not supported.
Amazon EC2 does not allow cross-account copies of AWS Marketplace AMIs.
DynamoDB did not support cross-account backup until November 2021. Advanced DynamoDB backup appeared on November 24 2021. To use these enhanced backup features, you simply need to opt-in to have AWS Backup manage your DynamoDB backups via AWS Management Console or AWS Backup APIs.