AWS Database Blog

Setting up for cross-account native backup and restore in Amazon RDS for Microsoft SQL Server

Reviewed and updated on June 2022.

Amazon Relational Database Service (Amazon RDS) supports native backup and restore for Microsoft SQL Server databases. If you have multiple AWS accounts, you can perform native backup and restore across these accounts, provided that your Amazon RDS instance and the Amazon Simple Storage Service (Amazon S3) bucket are in the same AWS Region. It’s important to understand this requirement before proceeding with these steps.

This post describes how to set up the permissions and policies necessary to perform cross-account native backup and restore in Amazon RDS for SQL Server. The steps in this procedure assume that you have the following AWS accounts containing these resources:

  • Account A – Amazon RDS for SQL Server instance
  • Account B – Amazon S3 bucket

For Account A, you can refer to Importing and Exporting SQL Server Databases on how to setup the native backup and restore for a RDS SQL Server instance

For Account B, which contains the S3 bucket, you need to create a bucket policy to authorize the role from Account A to access the S3 bucket.

Configure the S3 bucket policy

The next step is to configure the S3 bucket and its policy to allow Account A to access the bucket. You can create a bucket or use an existing one. However, make sure that the bucket is in the same AWS Region as your Amazon RDS instance.

  1. On the Amazon S3 console, choose the bucket that you want to create a policy for. Choose Permissions, and then choose Bucket Policy.
  2. To allow RDS to access the S3 bucket for backup and restore, include the following bucket policy: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permission to cross account",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNTA-NUMBER:role/service-role/NATIVE-BACKUP-ROLE-NAME"
                ]
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::AccountB-S3BucketName"
            ]
        },
        {
            "Sid": "Permission to cross account on object level",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNTA-NUMBER:role/service-role/NATIVE-BACKUP-ROLE-NAME"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::AccountB-S3BucketName/*"
            ]
        }
    ]
}

Resource to the IAM policy linked to the option group that is in use with the RDS SQL Server Instance (Account A). Once done you are ready to use the cross-account S3 bucket for Amazon RDS SQL Server native backup and restore.

For more information, see Manually Creating an IAM Role for Native Backup and Restore in the Amazon RDS User Guide.

Note: We currently don’t support native backup and restore with cross account customer managed key (CMK).

Summary

This post briefly describes what you need to set up in order to perform cross-account native backup and restore in Amazon RDS for SQL Server. You can perform native backup and restore across multiple AWS accounts provided that you have an RDS instance and S3 bucket in the same AWS Region.

For more information about native backup and restore, see Microsoft SQL Server Native Backup and Restore Support in the Amazon RDS User Guide.

About the Authors

 

Fabio Albuquerque is a Sr Software Development Engineer with Amazon Web Services.

 

 

 

 

Kirthi Vishal is Support Engineer with Amazon Web Services. He is subject matter expert on RDS and RDS-SQL Server who works with our customers to provide guidance and technical assistance on Relational Database Services, helping them improve the value of their solutions when using AWS.