Multi-account backup copy in AWS
In the previous post about the Landing Zone solution we checked what AWS Backup Policy is and how we can centrally manage AWS Backup service across multiple AWS accounts. Backups were created in the same account and region with the target resource, but what can we do if we need to copy backups to another account for security reasons or to the different AWS region for disaster recovery purposes? In this post we will take a look at different ways and limitations of backups copying. Examples and recommendations are based on the many projects implemented by Automat-IT.
Copying backups to a different AWS account
First of all it worth mentioning that AWS Backup started supporting DocumentDB and Neptune on 8 November 2021 and we will check it:

As a prerequisite you have to create a backup vault in your destination account. You must use vaults other than your default vaults to perform cross-account backup. Then, you assign a customer managed key to encrypt backups in the destination account, and a resource-based access policy to allow AWS Backup to access the resources you would like to copy. The following CloudFormation template can be used:
AWSTemplateFormatVersion: 2010-09-09
Description: This template creates backup vault required for the cross-account backup and cross-Region copy using AWS Backup
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: AWS Backup Configuration
Parameters:
- vaultname
- organizationid
- sourceaccountid
ParameterLabels:
vaultname:
default: Backup vault name
organizationid:
default: Enter your AWS organizations ID
sourceaccountid:
default: Enter the AWS account ID for your source backup account
Parameters:
Vaultname:
Type: String
organizationid:
Type: String
sourceaccountid:
Type: String
Resources:
cabKey:
Type: 'AWS::KMS::Key'
Properties:
Description: A symmetric CMK
KeyPolicy:
Version: 2012-10-17
Id: cab-kms-key
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: !Sub
- 'arn:aws:iam::${yoursourceaccountid}:root'
- yoursourceaccountid: !Ref sourceaccountid
Action:
- 'kms:DescribeKey'
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey'
- 'kms:GenerateDataKeyWithoutPlaintext'
Resource: '*'
- Sid: Allow attachment of persistent resources
Effect: Allow
Principal:
AWS: !Sub
- 'arn:aws:iam::${yoursourceaccountid}:root'
- yoursourceaccountid: !Ref sourceaccountid
Action:
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:RevokeGrant'
Resource: '*'
Condition:
Bool:
'kms:GrantIsForAWSResource': true
cabvault:
Type: 'AWS::Backup::BackupVault'
Properties:
AccessPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable backup vault access
Effect: Allow
Action: 'backup:CopyIntoBackupVault'
Resource: '*'
Principal: '*'
Condition:
StringEquals:
'aws:PrincipalOrgID': !Ref organizationid
BackupVaultName: !Ref vaultname
EncryptionKeyArn: !GetAtt
- cabKey
- Arn
Outputs:
cabvault:
Value: !Ref cabvault
cabKey:
Value: !Ref cabKey
For all services except Amazon EFS, cross-account backup only supports customer managed keys. It does not support vaults that are encrypted using AWS keys, including default vaults, because AWS keys are not intended to be shared between accounts. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. Resources encrypted with AWS Managed key can not be copied:

You can then create a backup plan and choose a destination account that is part of your organizational unit in AWS Organizations.

Full backup policy looks like the following:
{
"plans": {
"backup": {
"regions": {
"@@assign": [
"ap-southeast-2"
]
},
"rules": {
"backup": {
"schedule_expression": {
"@@assign": "cron(10 14 ? * * *)"
},
"start_backup_window_minutes": {
"@@assign": "60"
},
"complete_backup_window_minutes": {
"@@assign": "120"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "30"
}
},
"target_backup_vault_name": {
"@@assign": "Default"
},
"recovery_point_tags": {
"Name": {
"tag_key": {
"@@assign": "Name"
},
"tag_value": {
"@@assign": "BackupOrg"
}
}
},
"copy_actions": {
"arn:aws:backup:ap-southeast-2:5**********9:backup-vault:cabvault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:ap-southeast-2:5**********9:backup-vault:cabvault"
},
"lifecycle": {}
}
}
}
},
"backup_plan_tags": {
"Name": {
"tag_key": {
"@@assign": "Name"
},
"tag_value": {
"@@assign": "Backup"
}
}
},
"selections": {
"tags": {
"backup": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole"
},
"tag_key": {