AWS Database Blog

Setting up for cross-account native backup and restore in Amazon RDS for Microsoft SQL Server

Amazon Relational Database Service (Amazon RDS) supports native backup and restore for Microsoft SQL Server databases. If you have multiple AWS accounts, you can perform native backup and restore across these accounts, provided that your Amazon RDS instance and the Amazon Simple Storage Service (Amazon S3) bucket are in the same AWS Region. It’s important to understand this requirement before proceeding with these steps.

This post describes how to set up the permissions and policies necessary to perform cross-account native backup and restore in Amazon RDS for SQL Server. The steps in this procedure assume that you have the following AWS accounts containing these resources:

  • Account A – Amazon RDS for SQL Server instance
  • Account B – Amazon S3 bucket

All the setup must be done in Account B, where the S3 bucket exists. You perform the following tasks in Account B:

  1. Create an IAM policy.
  2. Create a role and set up a trust policy.
  3. Create an S3 bucket policy.

Task 1: Create an IAM policy

To create the policy, open the AWS Identity and Access Management (IAM) console.

  1. On the IAM dashboard, choose to create a new policy. Name the policy CrossAccountSetup.
  2. Choose the JSON format, and include the following example permissions policy, replacing bucket_name with the name of your S3 bucket in the same region as RDS SQL Server:
    {
        "Version": "2012-10-17",
        "Statement":
        [
            {
            "Effect": "Allow",
            "Action":
                [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
                ],
            "Resource": "arn:aws:s3:::bucket_name"
            },
            {
            "Effect": "Allow",
            "Action":
                [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:ListMultipartUploadParts",
                    "s3:AbortMultipartUpload"
                ],
            "Resource": "arn:aws:s3:::bucket_name/*"
            }
        ]
    }
    

This policy is the same policy that you use for the native setup, except that you set this up on the other account where the S3 bucket exists. For more information, see Manually Creating an IAM Role for Native Backup and Restore in the Amazon RDS User Guide.

The policy appears as follows on the IAM console:

  1. Choose Review policy, and then choose Create policy.

Task 2: Create a role and set up the trust policy

Next, you create a new IAM role to use with native backup and restore, and set up the trust policy.

  1. On the IAM console, choose Roles, and then Create role. Choose Another AWS account.
  1. Search for the policy that you created in Task 1 (CrossAccountSetup in this case). Select the policy name in the list.
  1. Enter a Role name (for example, RDSCrossAccountRole) and a Role description, as shown following.

After creating the role, you can check that the trust policy is enabled and looks something like the following example trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam:: AccountA-RDS:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

If you choose not to provide root access for Account A to Account B, where your trust policy looks like the preceding policy, we recommend that you edit the policy to allow only RDS to have access.

The following is an example trust policy for native backup and restore for Amazon RDS (recommended trust setup):

{
  "Statement": {
    "Effect": "Allow",
    "Principal": { "Service": "rds.amazonaws.com" },
    "Action": "sts:AssumeRole",
    "Condition":
    { "StringEquals": { "sts:ExternalId":"AccountA-RDS" } }
  }
  }

For more information, see Manually Creating an IAM Role for Native Backup and Restore in the Amazon RDS User Guide.

Task 3: Configure the S3 bucket policy

The next step is to configure the S3 bucket and its policy to allow Account A to access the bucket. You can create a bucket or use an existing one. However, make sure that the bucket is in the same AWS Region as your Amazon RDS instance.

  1. On the Amazon S3 console, choose the bucket that you want to create a policy for. Choose Permissions, and then choose Bucket Policy.
  2. To allow RDS to access the S3 bucket for backup and restore, include the following bucket policy:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Permission to cross account",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:root"
                },
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::AccountB-S3BucketName",
                    "arn:aws:s3:::AccountB-S3BucketName/*"
                ]
            }
        ]
    }
    

The policy appears as follows in the bucket policy editor:

After completing these steps, you need to manually add this S3 bucket name (Account B) as a Resource to the IAM policy linked to the option group that is in use with the RDS SQL Server Instance (Account A). Once done you are ready to use the cross-account S3 bucket for Amazon RDS SQL Server native backup and restore.

For more information, see Manually Creating an IAM Role for Native Backup and Restore in the Amazon RDS User Guide.

Cross-region replication

Then comes the question—what if your backup files are in different Regions? For this scenario, you need to set up cross-region replication. For information about how to do this, see the blog post Cross-Region Replication for Amazon S3.

Cross-region replication serves as a disaster recovery (DR) strategy for offloading backups to different Regions. These backups can also be restored in that Region or locally in the event of a disaster.

You can replicate objects from a source bucket to only one destination bucket. After it is enabled, the replication works on newly created objects in the S3 bucket. After Amazon S3 replicates an object, the object cannot be replicated again.

For more information, see Cross-Region Replication in the Amazon S3 Developer Guide.

Summary

This post briefly describes what you need to set up in order to perform cross-account native backup and restore in Amazon RDS for SQL Server. You can perform native backup and restore across multiple AWS accounts provided that you have an RDS instance and S3 bucket in the same AWS Region.

For more information about native backup and restore, see Microsoft SQL Server Native Backup and Restore Support in the Amazon RDS User Guide.


About the Author

Kirthi Vishal is Support Engineer with Amazon Web Services. He is subject matter expert on RDS and RDS-SQLServer who works with our customers to provide guidance and technical assistance on Relational Database Services, helping them improve the value of their solutions when using AWS.