AWS Backup cross account with Organizations

1

Hey guys! I want to backup some services that are on multiple accounts to another account that will only keep the backup and I intend to use AWS Backup for that. I know it has cross account functionality, but I have some questions:

1 - I saw some tutorials on how to do this process, but it was not clear if I should create a backup plan/policy in the root/management account (Organizations) or in the account where the services that will be backed up are located. Because if I do it in the account where the services are, I'll have to make a backup plan for each account and I wanted to create a backup plan that applied to all accounts. How can I create a backup plan that applies to all accounts? 2 - In the root/management account, when I create a backup policies, it asks me for the name of the backup vault within the "add backup rule" section. This would be the name of the backup vault that is in the other account that will receive the backup? Shouldn't it have his identification (ARN)?

natte
asked a year ago1112 views
2 Answers
1

Here are some tips for setting up cross-account AWS Backup:

The backup plans and policies should be created in the source accounts where the resources to backup are located. This allows you to scope the plans to the specific resources in each account. The management account can't directly create plans targeting resources in other accounts. But you can centralize the plan creation using AWS Organizations - create a service control policy that enforces specific backup plans/policies in each account.

When creating the backup plan, the destination vault ARN should point to the backup vault in the central backup account. So in the "Add backup rule" section, paste in the full ARN of the destination backup vault where you want backups sent. The vault name alone won't work across accounts.

Some key pointers:

  • Enable backup in each source account
  • Create IAM roles allowing cross account access
  • Create vault in central backup account
  • Create backup plans in each source account, using vault ARN as destination
  • This lets you backup to a central vault while keeping the backup plans decentralized and scoped to each account.
profile pictureAWS
answered a year ago
0

*Note: As of today 8/28/23, cross-account backup is not available in Israel (Tel Aviv), China (Beijing), and China (Ningxia) regions. Check this link for the latest as AWS is always adding regions, features, and capabilities (https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#features-by-region). *

To use cross-account management, you must follow these steps:

  • In your management account in AWS Organizations, add all the desired accounts under the management account.
  • Enable the cross-account management feature in AWS Backup.
  • Create a backup policy to apply to all AWS accounts under your management account.
  • Manage backup, restore, and copy jobs in all your AWS accounts.

There are a few security considerations to note:

  • The destination vault cannot be the default vault. This is because the default vault is encrypted with a key that cannot be shared with other accounts.
  • Cross-account backups might still run for up to 15 minutes after you disable cross-account backup. This is due to eventual consistency, and might result in some cross-account jobs starting or completing even after you disable cross-account backup.
  • If the destination account leaves the organization at a later date, that account will retain the backups. To avoid potential data leakage, place a deny permission on the organizations:LeaveOrganization permission in a service control policy (SCP) attached to the destination account. For detailed information about SCPs, see Removing a member account from your organization in the Organizations User Guide.
  • If you delete a copy job role during a cross-account copy, AWS Backup can't unshare snapshots from the source account when the copy job completes. In this case, the backup job finishes, but the copy job status shows as Failed to unshare snapshot.

AWS has docs on setting this all up here: https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html

profile picture
answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago
  • The step reproduced in the link above do not use Backup policy.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions