I have AWS Backup setup to copy resources cross-account and cross-region. However, I found out that RDS is an exception where you can't do both cross-account AND cross-region. You can do one or the other, but not both. (The caveats with AWS Backup are long and confusing making it very difficult to plan and setup for even the simplest situations, but I digress). So I've decided to copy all non-RDS resources cross-account and cross-region, but for RDS I'll only copy it cross account, same region. It seems like this should be easy since AWS Backup plans support multiple rules, and multiple criteria for assigning resources. Alas it doesn't appear that it works the way I need it.
I create one rule that copies cross-account and cross-region. Then I configure another rule that performs cross-account, same region. I can configure 2 resource assignments with one for non-RDS, and one for RDS only. However, I can't seem to say non-RDS goes to the 1st rule, and RDS only goes to the 2nd. It seems like all assigned resources will be applied to all rules. There isn't a way to select which assets belong to which rule.
The thing that bugs me about this is that RDS is used pretty in every environment and using encryption with RDS seems very common too, so lots of people would have to deal with this situation where RDS can't be sent cross account and cross region. And yet it seems very awkward to set this up in AWS Backup because of the separation of Rule and Assigned Resources. If Assigned Resources were just apart of the rule then everything would be solved and very straightforward without a loss expressive power in configuration. But by having them separate you get no real increase in power of expression that I can see, but there are limitations like this that just don't seem to work.
Do I have to create separate backup plans to accomplish this (uggh) or is there a way to do this using 1 backup plan using multiple rules and multiple assignments that I don't see?
This is an interesting idea and I was exited about it at first, but exporting to S3 is a manual process. Yes you can deploy some lambdas to automated it, but I really didn't want to invest that much time to get there. Again it just seems like it should be easier than this. Creating a separate backup plan seems like a lower lift between the two options. Thanks for your clever insight though.