How can I copy AWS Backups across AWS accounts?

6 minute read
0

I want to use AWS Backup to create backups across multiple AWS accounts.

Short description

When using AWS, you must configure the correct permissions to perform actions across multiple AWS accounts. Also, before you use AWS Backup to manage cross-account resources, the accounts that you're using must belong to the same organization in the AWS Organizations service.

Most of the resources that AWS Backup supports allow you to create cross-account backups. For more information, see Feature availability by resource.

Resolution

Source account requirements

The account that hosts your production AWS resources and primary backups is known as the source account. Before you configure cross-account backups, review the requirements for your source account:

  • If the resources in your source account are encrypted with a customer managed key, then share this key with the destination account. For all services except those that support full AWS Backup Management, the cross-account backup feature supports only customer managed keys. AWS keys aren't supported, because they can't be shared between accounts.
  • Check that the user in the source account has the appropriate permissions to create copy jobs, such as AWSBackupFullAccess. This permission provides backup administrator access. The backup administrator oversees all AWS Backup operations including creating and modifying backup plans, and performing backup restorations.

Destination account requirements

The destination account is the AWS account that you want to keep a copy of your backup in. You can choose multiple destination accounts. The destination account must be in the same organization as the source account in AWS Organizations.

Before you set up cross-account backups, configure the destination account by doing the following:

  • Create a backup vault in the destination account, and then assign a customer managed key to encrypt the backups.
  • Note the Amazon Resource Names (ARN) of your destination account backup vault. The ARN contains the Account ID and its AWS Region.
  • You must Allow the access policy backup:CopyIntoBackupVault for your destination backup vault. Without this policy, attempts to copy into the destination account are denied. See the following example policy that provides access:
{"Version": "2012-10-17","Statement": [{"Sid": "Allow account to copy into backup vault","Effect": "Allow","Action": "backup:CopyIntoBackupVault","Resource": "*","Principal": {"AWS": "arn:aws:iam::account-id:root"}}]}

For more information on destination account requirements, see Sharing a backup vault with a different AWS account.

Security considerations for cross-account Backup

When performing cross-account backups in AWS Backup, it's important to consider the following:

  • The default vault can't be used as a destination vault for resources that don't support full AWS Backup management.
  • Cross-account backups might continue for up to 15 minutes after you turned them off due to eventual consistency.
  • If any destination account leaves the organization at a later point, they retain the backups. To prevent potential data leakage, see Removing a member account from your organization.
  • If you delete a copy job role during a cross-account copy, then AWS Backup can't unshare snapshots from the source account when the copy job completes.

Allow cross-account backups in AWS Organizations

To use cross-account backup, you must activate the cross-account backup feature in the AWS Organizations management account. The AWS Organizations management account is the primary account in your organization.

To turn on cross-account backups for your organization, follow these steps:

  1. Log in to the AWS Backup console using your AWS Organizations management account credentials. You can turn on cross-account backup using these credentials only.
  2. In the My account section, choose Settings.
  3. Turn on Cross-account backup.

After following these steps, any account in your organization can share the contents of their backup vault with any other account in the organization. For more information, see Sharing a backup vault with a different AWS account.

Schedule cross-account backups

To schedule your cross-account backups, follow these steps using the AWS Backup console.

  1. Open the AWS Backup console.
  2. In My account section, choose Backup plans, and then choose Create Backup plan.
  3. On the Create Backup plan page, choose Build a new plan.
  4. In the Backup rule configuration section, create a backup rule that includes a backup schedule, backup window, and lifecycle rules. You can add any other backup rules that you need later.
  5. For Schedule, choose how often that you want the backup to occur.
  6. It's a best practice to use the default settings for Backup window.
  7. Choose a backup vault to save recovery points for your backup, or create a new backup vault. The backup vault allows you to save the backups in the local (source) account
  8. In the Generate copy section, choose the destination AWS Region for your backup copy, and then add a new copy rule.
  9. Turn on the Copy to another account's vault option. This option turns blue when it's activated. The External vault ARN option appears.
  10. Enter the ARN of the destination account backup vault. AWS Backup copies the backup to the destination account's vault. The destination Region list automatically updates to the Region in the external vault ARN.
  11. For Allow Backup vault access, choose Allow. Then, choose Allow again in the wizard that opens.
  12. For Transition to cold storage, choose when to transition the backup copy to cold storage and when to expire (delete) the copy.
  13. Choose Create plan.

Encrypted Vaults

The default vaults are encrypted with AWS Key Management Service (AWS KMS) managed keys. AWS KMS managed keys can't be shared with other accounts. It's a best practice to use customer vaults instead because they're encrypted with customer managed keys.

You might want to perform cross-account backups for encrypted resources that don't support full AWS Backup management, such as Amazon Elastic Compute Cloud (Amazon EC2). In this case, your resources must be encrypted with customer managed keys. AWS managed keys aren't supported for cross-account copies. For more information, see Encryption for backups in AWS Backup.

For services that support full AWS Backup Management, SMKs are supported for cross-account copies. For more information, see Feature availability by resource. See also Protecting encrypted Amazon Relational Database Service (Amazon RDS) DB instances with cross-account and cross-Region backups.

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago