AWS Marketplace
Automate multi-account backup and disaster recovery with Druva and AWS Control Tower
With enterprises scaling up their AWS workloads across hundreds if not thousands of AWS accounts, customers have expressed the need to simplify data protection as they scale. Customers can use Druva to centrally manage, monitor, and secure backups across multi-account AWS environments and achieve an enhanced, organization-level view of data protection across their AWS services.
The Druva-AWS Control Tower integration is purpose-built for enterprise users of AWS Cloud. By implementing this solution, you automate the setup of your multi-account AWS environment with just a few clicks. This solution simplifies backup and disaster recovery (DR) management at an enterprise scale, using native AWS services.
Solution overview
The solution is deployed using AWS CloudFormation templates and integrates with AWS Control Tower lifecycle events. When a new account is created or enrolled using the AWS Control Tower account factory, the lifecycle event triggers the AWS Lambda function to launch an AWS CloudFormation StackSet instance. The StackSet instance creates the required IAM resources in the new account.
The following resources are deployed in the management account:
- AWS CloudFormation StackSet: used in the AWS Control Tower management account as a template for all StackSet instances to be deployed in the new accounts
- AWS Control Tower lifecycle rule: used as a trigger to deploy the integration in new accounts upon creation
- AWS Lambda onboarding function: used in case any existing accounts are selected for integration
- AWS Lambda StackSet function: used to deploy a StackSet instance to the new account
- Amazon SNS topic: used as a trigger from the onboarding to StackSet function
- AWS Secrets Manager: used to store the values used to identify the Druva customer
- AWS IAM third-party access role: allows Druva to perform actions in your AWS environment on your behalf, such as taking backups and server management
Refer to the following architecture diagram.
Prerequisites
To integrate Druva with AWS Control Tower, you must have the following:
- A fully deployed AWS Control Tower environment. For information about setting up an AWS Control Tower landing zone, see Getting Started with AWS Control Tower.
- Administrator privileges in the AWS Control Tower management account.
- A Druva account. You can subscribe to Druva using AWS Marketplace.
Solution walkthrough: Automate multi-account backup and disaster recovery with Druva and AWS Control Tower
Step 1: Get your Druva account details
- Navigate to your Druva Console. On the top navigation bar, select Account. From the dropdown, select All AWS Account. Select Add New Account.
- On Add New Account panel, select AWS Control Tower tab. From AWS Control Tower panel, copy the following:
- AWS CloudFormation template link
- OrganizationKeyId
- OrganizationToken
Step 2: Deploy the AWS CloudFormation template
- In your management account, navigate to the AWS CloudFormation console. Select Create Stack and choose With new resources (standard). On the Create Stack screen, under Amazon S3 URL, enter the CloudFormation URL you copied in step 1.2.1. Select Next.
- On the Specify Stack Details screen, provide these values:
- Stack name (Required)
- LaunchAccountList (Optional): Comma-separated list of existing accounts
- OrganizationKeyId (Required): Enter this value from Step 1.2.2.
- OrganizationToken (Required): Enter this value from Step 1.2.3.
- Select Next.
- On the Configure stack options screen, keep default values. Select Next.
- On the review screen, check the checkbox stating I acknowledge that AWS CloudFormation might create IAM resources. Select Create stack. Wait for the stack to complete.
Step 3: Test your integration
To add a managed account in AWS Control Tower, do the following:
- Navigate to the AWS Control Tower console. On the left navigation panel, choose Account Factory.
- Enter values for Account email, Display name, AWS SSO email, AWS SSO user name, and Organizational unit. Choose Enroll account. It can take up to 30 minutes for the account to be created and the AWS Control Tower lifecycle event to trigger.
- Navigate to your Druva Console. In the top navigation bar, select Account. From the dropdown, select All AWS Account. You will see the account ID of the newly created account as well as the accounts IDs of the existing accounts that you provided while launching the stack.
Druva Multi-Account Dashboard
1. View your native workload dashboard: The Druva global dashboard provides management across multiple AWS accounts. It displays detailed information on the current status and historical trends of the latest backup and restores, policies, DR plans, and jobs within your organization. To view Druva Multi-Account Dashboard, sign in to your Druva account and select Native Workloads. This shows you the global dashboard view of your connected AWS accounts. The following screenshot shows the dashboard. There is a resource summary with a doughnut chart, an overview showing my active and inactive AWS accounts, a backup and restore map with colored pins showing the location and density of my backups, and a pie chart showing my DR plans.
2. View account level dashboard: To drill down to account-level dashboards for my individual AWS accounts, from the top navigation bar, select the Accounts dropdown and select your accounts.
Conclusion
In this post, I showed you how to automatically enroll new AWS Control Tower accounts with Druva, a data resiliency solution built for the enterprise. Druva integration for AWS Control Tower enables you to automatically protect any existing accounts, as well as any future AWS accounts, as soon as they’re created. For more information about this solution, see Solutions for AWS Control Tower in AWS Marketplace.
Contents of this post were validated to work on the publishing date. The code and templates in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.