top of page

Multi-account backup copy in AWS

In the previous post about the Landing Zone solution we checked what AWS Backup Policy is and how we can centrally manage AWS Backup service across multiple AWS accounts. Backups were created in the same account and region with the target resource, but what can we do if we need to copy backups to another account for security reasons or to the different AWS region for disaster recovery purposes? In this post we will take a look at different ways and limitations of backups copying. Examples and recommendations are based on the many projects implemented by Automat-IT.


Copying backups to a different AWS account

First of all it worth mentioning that AWS Backup started supporting DocumentDB and Neptune on 8 November 2021 and we will check it:


As a prerequisite you have to create a backup vault in your destination account. You must use vaults other than your default vaults to perform cross-account backup. Then, you assign a customer managed key to encrypt backups in the destination account, and a resource-based access policy to allow AWS Backup to access the resources you would like to copy. The following CloudFormation template can be used:

AWSTemplateFormatVersion: 2010-09-09
Description: This template creates backup vault required for the cross-account backup and cross-Region copy using AWS Backup

Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: AWS Backup Configuration
        Parameters:
          - vaultname
          - organizationid
          - sourceaccountid
    ParameterLabels:
      vaultname:
        default: Backup vault name
      organizationid:
        default: Enter your AWS organizations ID
      sourceaccountid:
        default: Enter the AWS account ID for your source backup account

Parameters:
  Vaultname:
    Type: String
  organizationid:
    Type: String
  sourceaccountid:
    Type: String

Resources:
  cabKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: A symmetric CMK
      KeyPolicy:
        Version: 2012-10-17
        Id: cab-kms-key
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'
          - Sid: Allow use of the key
            Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${yoursourceaccountid}:root'
                - yoursourceaccountid: !Ref sourceaccountid
            Action:
              - 'kms:DescribeKey'
              - 'kms:Encrypt'
              - 'kms:Decrypt'
              - 'kms:ReEncrypt*'
              - 'kms:GenerateDataKey'
              - 'kms:GenerateDataKeyWithoutPlaintext'
            Resource: '*'
          - Sid: Allow attachment of persistent resources
            Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${yoursourceaccountid}:root'
                - yoursourceaccountid: !Ref sourceaccountid
            Action:
              - 'kms:CreateGrant'
              - 'kms:ListGrants'
              - 'kms:RevokeGrant'
            Resource: '*'
            Condition:
              Bool:
                'kms:GrantIsForAWSResource': true
  cabvault:
    Type: 'AWS::Backup::BackupVault'
    Properties:
      AccessPolicy:
        Version: 2012-10-17
        Statement:
          - Sid: Enable backup vault access
            Effect: Allow
            Action: 'backup:CopyIntoBackupVault'
            Resource: '*'
            Principal: '*'
            Condition:
              StringEquals:
                'aws:PrincipalOrgID': !Ref organizationid
      BackupVaultName: !Ref vaultname
      EncryptionKeyArn: !GetAtt 
        - cabKey
        - Arn

Outputs:
  cabvault:
    Value: !Ref cabvault
  cabKey:
    Value: !Ref cabKey

For all services except Amazon EFS, cross-account backup only supports customer managed keys. It does not support vaults that are encrypted using AWS keys, including default vaults, because AWS keys are not intended to be shared between accounts. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. Resources encrypted with AWS Managed key can not be copied:


You can then create a backup plan and choose a destination account that is part of your organizational unit in AWS Organizations.

Full backup policy looks like the following:

{
  "plans": {
    "backup": {
      "regions": {
        "@@assign": [
"ap-southeast-2"
        ]
      },
      "rules": {
        "backup": {
          "schedule_expression": {
            "@@assign": "cron(10 14 ? * * *)"
          },
          "start_backup_window_minutes": {
            "@@assign": "60"
          },
          "complete_backup_window_minutes": {
            "@@assign": "120"
          },
          "lifecycle": {
            "delete_after_days": {
              "@@assign": "30"
            }
          },
          "target_backup_vault_name": {
            "@@assign": "Default"
          },
          "recovery_point_tags": {
            "Name": {
              "tag_key": {
                "@@assign": "Name"
              },
              "tag_value": {
                "@@assign": "BackupOrg"
              }
            }
          },
          "copy_actions": {
            "arn:aws:backup:ap-southeast-2:5**********9:backup-vault:cabvault": {
              "target_backup_vault_arn": {
                "@@assign": "arn:aws:backup:ap-southeast-2:5**********9:backup-vault:cabvault"
              },
              "lifecycle": {}
            }
          }
        }
      },
      "backup_plan_tags": {
        "Name": {
          "tag_key": {
            "@@assign": "Name"
          },
          "tag_value": {
            "@@assign": "Backup"
          }
        }
      },
      "selections": {
        "tags": {
          "backup": {
            "iam_role_arn": {
              "@@assign": "arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole"
            },
            "tag_key": {