This blog post will describe how to set up cross-account AWS Backup. Let's imagine situation where you need to store your cloud backups in one central location, like another AWS account? Maybe because of some compliance or other organizational/contractual reasons. This is where cross-account AWS Backup jump on the stage :)
First of all you must have at least two accounts that belong to the same organization in the AWS Organizations service. One for backup source and second for desired target location.
Next you need to enable cross-account backup functionality. By default it's disabled.
For all services except Amazon EFS, cross-account backup only supports customer managed CMKs. It does not support backup vaults that are encrypted using AWS managed CMKs, including default vaults, because AWS managed CMKs are not intended to be shared between accounts that's why we need to create our own key.
Set up alias, key type and key administrators. For key users we need to pickup IAM Role used by AWS Backup. Last thing is to allow usage of our key with Source account.
You might encounter similar error:
The provided role arn:aws:iam::1234567890:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup cannot be assumed by AWS Backup.
This means you are missing service linked role. AWS Backup uses the service linked role named AWSServiceRoleForBackup. This role provides AWS Backup permission to create backups on your behalf across AWS services. If you have used AWS Backup in the past, most probably you already have it but if don't we can create it running below command:
aws iam create-service-linked-role --aws-service-name backup.amazonaws.com
Next step is to create Backups Vaults in source and destination accounts where we will copy our backups. Backup vault is a container where you can organize your backups in.
Note:You must use vaults other than your default vaults to perform cross-account backup.
Another task to do with Backup Vaults is to set up an access policy. We want to allow access to our Vault from AWS Organizations.
We need to switch to our source account and repeat these steps with creating KMS key and Backup Vault. We need a place to store our encrypted backups before we copy them to the target account.
Next step is to configure Backup Plans. Backup plan is a policy (set of rules) that defines when and how you want to back up your AWS resources. You can assign resources to backup plans and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup demands.
And what's most interesting, we can define here our copy to destination with copy to another account's vault switch:
It's worth to mention that we can have multiple copies.
Unfortunately not all resource types support cross-account and cross-region backup at the same time. One of the example is RDS. You may encounter similar error:
I couldn't find any confirmation in official docs that this setup is not supported. I hope AWS team responsible for AWS Backup will work on it and in the near future all resource types will support cross-account and cross-region backup ;-)
I've worked with below resource types without any issues:
- EFS (non-default/automatic EFS backup)
There is always space for improvement :). If you would like to experiment more with AWS Backup you might want to try centralized management and creating Backup Policies across your AWS Organization.
If you have any additional questions or spot any error please feel free to contact me!
P.S. Always test your backups.