Introduction
This blog post will describe how to set up cross-account AWS Backup. Let's imagine situation where you need to store your cloud backups in one central location, like another AWS account? Maybe because of some compliance or other organizational/contractual reasons. This is where cross-account AWS Backup jump on the stage :)
Pre-requisites
First of all you must have at least two accounts that belong to the same organization in the AWS Organizations service. One for backup source and second for desired target location.
Next you need to enable cross-account backup functionality. By default it's disabled.
Creating Customer Managed Key for backup encryption
For all services except Amazon EFS, cross-account backup only supports customer managed CMKs. It does not support backup vaults that are encrypted using AWS managed CMKs, including default vaults, because AWS managed CMKs are not intended to be shared between accounts that's why we need to create our own key.
Set up alias, key type and key administrators. For key users we need to pickup IAM Role used by AWS Backup. Last thing is to allow usage of our key with Source account.
Create Service Linked Role for AWS Backup (optional)
You might encounter similar error:
The provided role arn:aws:iam::1234567890:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup cannot be assumed by AWS Backup.
This means you are missing service linked role. AWS Backup uses the service linked role named AWSServiceRoleForBackup. This role provides AWS Backup permission to create backups on your behalf across AWS services. If you have used AWS Backup in the past, most probably you already have it but if don't we can create it running below command:
aws iam create-service-linked-role --aws-service-name backup.amazonaws.com
We can use new cool feature to do this - AWS CloudShell
Create Backup Vaults
Next step is to create Backups Vaults in source and destination accounts where we will copy our backups. Backup vault is a container where you can organize your backups in.
Note:You must use vaults other than your default vaults to perform cross-account backup.
Another task to do with Backup Vaults is to set up an access policy. We want to allow access to our Vault from AWS Organizations.
Policy JSON should look like this:
We need to switch to our source account and repeat these steps with creating KMS key and Backup Vault. We need a place to store our encrypted backups before we copy them to the target account.
Configure Backup Plans
Next step is to configure Backup Plans. Backup plan is a policy (set of rules) that defines when and how you want to back up your AWS resources. You can assign resources to backup plans and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup demands.
You can pick up from pre-defined templates or create your own plan:
Configure backup rule by defining schedule, backup window, lifecycle policy, target vault:
And what's most interesting, we can define here our copy to destination with copy to another account's vault switch:
It's worth to mention that we can have multiple copies.
When we have defined our backup plan and rules now it's time to assign resources that are going to be backed up:
We can assign resources by specific Tags which is very useful and by Resource ID:
Supported resource types
Unfortunately not all resource types support cross-account and cross-region backup at the same time. One of the example is RDS. You may encounter similar error:
I couldn't find any confirmation in official docs that this setup is not supported. I hope AWS team responsible for AWS Backup will work on it and in the near future all resource types will support cross-account and cross-region backup ;-)
I've worked with below resource types without any issues:
- EC2
- EBS
- EFS (non-default/automatic EFS backup)
Verify your backup and copy jobs
Final thing is to review if your backups are working as planned. Verify backup jobs and copy jobs in your dashboard and troubleshoot any potential misconfigurations/issues:
Next steps
There is always space for improvement :). If you would like to experiment more with AWS Backup you might want to try centralized management and creating Backup Policies across your AWS Organization.
If you have any additional questions or spot any error please feel free to contact me!
P.S. Always test your backups.
Top comments (2)
excellent article .....It really helped to me overcome the problem while creating cross account back
I'm very happy that you found it useful! :)