Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Backup - Copying backups across accounts in separate AWS Organizations - Is it possible?

0

Error Message I’m trying to validate a cross-organization backup copy scenario and would appreciate clarification.

Scenario

  • Account A1 in Org A (Production Org)
  • Account B1 in Org B (Recovery Org)

In Account B1, I created a Logically Air-Gapped Vault (LAGV) using a custom KMS key. In the KMS key policy, I allowed the AWS Backup service principal. Using AWS RAM in Account B1, I shared the LAGV with Account A1 (in Org A). After sharing, I see the vault under “Vaults shared through RAM” in A1. In the LAGV vault policy, I allowed Account A1 to copy backups into the vault. To eliminate permission-related issues during testing, I also temporarily allowed "Principal": "*".

Vault policy (for reference):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowProdCopyIntoLAGV-1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<A1-account-id>:root"
            },
            "Action": "backup:CopyIntoBackupVault",
            "Resource": "*"
        },
        {
            "Sid": "AllowProdCopyIntoLAGV-2-dangerous-only-for-testing",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "backup:CopyIntoBackupVault",
            "Resource": "*"
        }
    ]
}

In the Settings section of AWS Backup (in both organizations), I enabled:

  • Cross-account monitoring
  • Cross-account backup
  • Multi-party approval integration

In Account A1, I created a Backup Plan that:

  • Backs up an S3 bucket (all resources are in us-east-1)
  • Copies to a local standard vault
  • Includes a copy action to another account’s vault (the shared LAGV ARN from B1) - this is done under the Copy section of the Backup Plan
  • The service role used is AWSBackupDefaultServiceRole, which has - AWSBackupServiceRolePolicyForBackup and
  • AWSBackupServiceRolePolicyForRestores

Result The first step in the backup plan - copying to the local vault in A1 succeeds. However, the second step -copy to the LAGV in B- fails with the error: “Access denied – Copy job failed. Both source and destination account must be a member of the same organization.” I have tested with a custom KMS key and later with an AWS-managed KMS key. The same error occurs in all cases.

Question Is cross-organization copy into a backup vault (including LAGV) not supported at all? I’ve heard AWS representatives suggest using AWS Backup to copy backups into a separate recovery organization for resiliency. Am I missing something here? I also found a similar question asked here a year ago: https://repost.aws/questions/QURX0xbdOPQv6_YdX7sVUGcg/how-to-copy-aws-backup-cross-aws-organization The answer referenced the AWS documentation, which I have gone through but does not provide an answers to my question

Topics
StorageSecurity, Identity, & Compliance
Tags
AWS Key Management ServiceAWS Identity and Access ManagementAWS Backup
Language
English
asked 3 months ago120 views
1 Answer
0

AWS Backup does not currently support cross‑organization backup copy operations into a vault, including logically air‑gapped vaults. According to the official documentation, both the source and destination accounts must reside within the same AWS Organization for cross‑account backup copy functionality to succeed.

https://docs.aws.amazon.com/aws-backup/

'....Use a cross-account backup if you want to securely copy your backups to one or more AWS accounts in your organization… Before you can do this, you must have two accounts that belong to the same organization in the AWS Organizations service....'

EXPERT
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content