Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Control Tower Backup Integration: Best Practices Guide

3 minute read
Content level: Intermediate
0

Guide on integrating AWS Backup into your Control Tower Well-Architected Landing Zone to leverage multi-account best practices

Why Use AWS Backup with AWS Control Tower

AWS Backup integration with Control Tower provides centralized and automated backup management across your multi-account environment, offering:

A Consistent Multi-Account Backup Strategy

  • Standardized backup policies across organizational units
  • Automated backup deployment for new accounts
  • Centralized backup storage and management

Enhanced Security

  • Cross-account backup copies for disaster recovery
  • Dedicated backup administrator account
  • KMS encryption for sensitive data

Simplified Compliance

  • Centralized audit and reporting
  • Automated backup policy enforcement
  • Standardized retention policies
  • Bespoke backup configurations can still be used where needed

Implementation Best Practices

Account Structure - Designate dedicated accounts

  • Central Backup Account: Stores cross-account backup copies
  • Backup Administrator Account: Manages backup auditing and reporting

Backup Planning

Follow recommended retention schedules:

  • Hourly: 2-week local retention
  • Daily: 2-week local + 1-month central retention
  • Weekly: 1-month local + 3-month central retention
  • Monthly: 3-month local + 3-month central retention

Resource Tagging Strategy

Use standardized tags for backup frequency. Possible tags:

  • aws-control-tower-backuphourly
  • aws-control-tower-backupdaily
  • aws-control-tower-backupweekly
  • aws-control-tower-backupmonthly

Security Configuration

  • Implement proper KMS key policies
  • Replicate KMS keys across all governed regions
  • Enable backups for Security OU to protect audit and log archive accounts

Implementation

For Implementation Steps, see Enable Backups in the Control Tower User Guide [1].

Key Considerations

Prerequisites

  • Existing AWS Organizations structure
  • Two dedicated AWS accounts outside Control Tower
  • Multi-region KMS key properly configured* and replicated to every AWS Region that you plan to govern with AWS Control Tower
  • For an example KMS policy see the Prerequisites section of the Control Tower User Guide [2]

Cost considerations

  • No cost for configuration
  • Standard AWS Backup pricing applies

Drift Management

  • Avoid modifying backup configurations directly
  • Don't move administrator or central backup accounts
  • Maintain KMS key policies

Service Integration

  • Opt-in required for new resource types
  • Review supported services in AWS Backup console
  • Account movement requires backup re-enablement

Resource Retention

  • Existing backups retained after disablement
  • Local vaults preserved when disabled
  • Cross-account copies maintained in central account

For more detail on AWS Backup and AWS Control Tower see the Control Tower User Guide. [3] If you have any issues and need assistance troubleshooting AWS Backup with AWS Control Tower please contact support. [4]

[1] https://docs.aws.amazon.com/controltower/latest/userguide/enable-backup.html

[2] https://docs.aws.amazon.com/controltower/latest/userguide/backup-prerequisites.html

[3] https://docs.aws.amazon.com/controltower/latest/userguide/backup.html

[4] https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case

Topics
Management & GovernanceStorage
Tags
Management & GovernanceAWS BackupAWS Control Tower
Language
English
AWS
EXPERT
published 10 months ago1.3K views
5 Comments

Thank´s for this.

replied 10 months ago

Which account should host the KMS multi-Region key according to best practices? I haven't found any clear guidance on this in the AWS documentation for AWS Backup with Control Tower.

Should it be created in the management account or the Central Backup account?

replied 9 months ago

I would recommend hosting the multi-Region KMS key in the Central Backup account. This aligns with the principle of least privilege and isolation. In the event of a compromise in your management account, this would limit impact to your backup encryption keys.

AWS
EXPERT
replied 9 months ago

Recommended retention for backups is mentioned, but how do you actually configure retention via Control Tower?

replied 6 months ago

@Chad Myers - Console: You can set up backups for your landing zone in the AWS Control Tower console, on the Landing zone settings page. You'll see this option during the initial landing zone setup operation, and you can revisit it later with a landing zone update. This can also be done via API. More detail here: https://docs.aws.amazon.com/controltower/latest/userguide/enable-backup.html#backups-on-lz

AWS
EXPERT
replied 6 months ago

Relevant content