AWS BackUp Cross Account


I'm having quite a lot of difficulties getting my head around AWS BackUp in particular cross account.

We have multiple AWS accounts in an organisation:

prod staging qa backup

We'd like to backup the RDS databases in prod, staging and qa using AWS Backup and then have cross account replication to the backup account.

(1) Can the CMK used for encryption be different from the CMK used to encrypt the database? I know it needs to be shared across accounts so should I create a new CMK in the destination backup account and shared it to the source accounts prod staging and qa?

(2) How does lifecyle work, once the backups are copied across to the destination backup account I don't really need them any more in the source account. Is it possible to have a seperate lifecycle rule for the source account and destination account?


asked 2 months ago118 views
2 Answers


You may want to read this blog on the exact use case that you are working on:

It provides all details on implementation, in particular around management of encryption keys.



profile pictureAWS
answered 2 months ago
  1. Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database, so in order to have a cross-account backup of RDS, we must use CMK to encrypt RDS. (Snapshots of unencrypted Amazon RDS databases are also unencrypted). We use AWS KMS-CMK because it can be shared across accounts.
  2. If you don't need the backup in the source account, you can simply create a shorter retention period so that they expire soon while the destination backup can have a longer retention.
profile pictureAWS
answered 2 months ago
  • I appreciate the advice and have reviewed the links. Each RDS instance we have (in prod, staging and qa) use a different CMK for encryption. Does this mean we need to use different AWS BackUp vaults for each one. Or can we just add permissions for AWSServiceRoleforBackup to each of the CMK keys?

  • Each Vault has its own CMK and it is independent from the RDS encryption key and there is no need to create a vault for each RDS instance. When AWS backup backups an instance, it uses the RDS instance CMK to encrypt the instance recovery point, and send the snaps into a vault which is itself encrypted to protect all the other backups you might have.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions