Centralized cross-account management with Cross-Region copy using AWS Backup
Many organizations begin their cloud journey with a single AWS account and gradually expand their cloud presence into a multi-account environment for regulatory, compliance, security, or cost tracking purposes. Organizations often choose to deploy workloads and applications in multiple Regions on AWS Global Infrastructure for high availability, scalability, and performance. Building and operating in multi-account and multi-Region environments requires global disaster recovery (DR) and business continuity strategies. Customers want a centralized backup management process that consolidates and automates Cross-Region backup tasks across their AWS accounts to reduce overhead and improve backup compliance.
AWS Backup is a fully managed and cost-effective backup service that simplifies and automates data backup across AWS services including Amazon EBS, Amazon EC2, Amazon RDS, Amazon Aurora, Amazon DynamoDB, Amazon EFS, and AWS Storage Gateway. In addition, AWS Backup leverages AWS Organizations to implement and maintain a central view of backup policy across resources in multi-account AWS environment. Customers simply tag and associate their AWS resources with backup policies managed by AWS Backup for Cross-Region data replication. In this blog post, I show you how to centrally manage backup tasks across AWS accounts in your organization by deploying backup policies with AWS Backup.
To get started, create organizational units (OUs) in a management account and place three member accounts (Prod Account, QA Account, Dev Account) in the organization hierarchy as shown in the following diagram:
- Root OU contains two OUs named Prod OU and Non-Prod OU.
- Place Prod Account in the Prod OU.
- Create QA OU and Dev OU under Non-Prod OU.
- Place QA Account in the QA OU.
- Place Dev Account in the Dev OU.
You can follow step 1 and step 2 in this tutorial to create the same organization hierarchy and account structure. Then, follow this guide to enable all features in the AWS Organizations. AWS Backup can now manage and monitor backup and restore operations across AWS accounts that you configure with AWS Organizations.
In the Prod Account, create and tag the following resources with backup as tag key and prod as tag value:
- One Amazon RDS PostgreSQL database in the US East (N. Virginia) Region.
- One Amazon EFS file system in the Europe (Ireland) Region.
In the QA Account and Dev Account, create and tag the following resources with backup as tag key and nonprod as tag value:
- One Amazon EC2 instance in US East (N. Virginia) and Europe (Ireland) Region each. You can also use any existing resources.
Later, you create backup policies in the management account to automate the Cross-Region copy for these resources from US East (N. Virginia) and Europe (Ireland) to Asia Pacific (Tokyo).
Note: AWS Backup does not currently support Cross-Region copy for Amazon DynamoDB tables.
The following diagram provides a high-level outline of the multi-account backup architecture I walk through in this blog. I create one backup policy for the Prod OU and a second backup policy for Non-Prod OU. I then deploy AWS CloudFormation StackSets to automate the IAM role and backup vaults provisioning in member accounts.
Follow these steps to protect resources across AWS accounts and replicate data backup to other Regions:
- Opt in to cross-account management
- Create IAM role
- Create backup vaults
- Create backup policies
- Attach backup policies to targets
- Monitor backup and restore activities across AWS accounts
Step 1: Opt in to cross-account management
- Log in to your management account, then navigate to AWS Backup console, choose Settings in the left navigation pane.
- Choose Enable for both Backup policies and Cross-account monitoring. You should see the Status changed to Enabled.
- Enable all resource type supported by AWS Backup.
Step 2: Create IAM role
Pass an Identity and Access Management (IAM) service role to AWS Backup to assume and perform back-up and restore operations on your behalf. Complete the following steps to deploy an IAM role in member accounts:
- Launch an AWS CloudFormation StackSet in the management account, and paste https://awsstorageblogresources.s3.us-west-2.amazonaws.com/chersimoncrossregioncopyblog/IAMStackSet.yaml in Amazon S3 URL.
- Provide a StackSet name. Enter crossaccountbackuprole in IAM Configuration. Choose Next.
- Choose Service managed permissions to allow automatic deployment of this IAM role to any new accounts that are added to the target OUs in future. Choose Next.
- Choose Deploy to organization. Choose US East (N.Virginia) in Specify regions. Keep other default settings. Choose Next.
- Select the check box for I acknowledge that AWS CloudFormation might create IAM resources with custom names. Choose Submit. You can validate the stack sets deployment completion under the Stack Instances tab. Wait for the Status to change from OUTDATED to CURRENT for all Stack instances, as shown in the following screenshot.
Note: AWS Backup does not validate whether the role exists or the role can be assumed in the member account. Be sure to validate the appropriate IAM role in each account you add to backup policies, crossaccountbackuprole in this case.
Step 3: Create backup vaults
A recovery point in AWS Backup represents the backup content of a resource at a given point in time stored in the backup vault. Complete the following steps to create distinct backup vaults in both the source and destination Regions for each account that you want protected by AWS Backup:
- While still in the management account, launch an AWS CloudFormation StackSet, and paste https://awsstorageblogresources.s3.us-west-2.amazonaws.com/chersimoncrossregioncopyblog/BackupVaultStackSet.yaml in Amazon S3 URL.
- Provide a StackSet name. Enter prodbackupvault in AWS Backup Configuration. Choose Next.
- Choose Service managed permissions to allow automatic deployment of this backup vault to any new accounts that are added to the target OUs in future. Choose Next.
- Choose Deploy to organizational units (OUs). Enter your OU ID for Prod OU in AWS OU ID. You can obtain the OU ID from the AWS Organizations console under the Organize accounts tab.
- Choose US East (N.Virginia), Asia Pacific (Tokyo), and EU(Ireland) in Specify regions. Keep other default settings. Choose Next. Choose Submit.
Repeat these 5 steps for Non-Prod OU:
- Replace Backup vault name in step 2 with nonprodbackupvault.
- Replace AWS OU ID in step 3 with your OU ID for Non-Prod OU.
Note: The Backup vault name is case-sensitive and AWS Backup does not validate whether the desired backup vault exists. Be sure to validate that you have the appropriate backup vault created in each member account and Region that you want protected.
Step 4: Create backup policies
Follow these steps to create a backup policy for Prod-OU:
1. Log in to the AWS Backup console in management account, choose Backup policies and choose Create backup policies.
2. In the Create policy section, provide the following:
a) In Policy name, enter prodbackuppolicy.
b) A description for the policy.
3. In the Configure Backup plan section, under Backup plan details, provide the following:
a) In Backup plan name, enter prodbackupplan.
b) In Backup plan regions, select US East (N.Virginia), Europe (Ireland), and Asia Pacific (Tokyo).
c) In Rule name, enter prodbackuprule.
d) In Frequency, choose Daily.
e) In Backup window, choose Use backup window defaults – recommended, which initiates the backup job at 5 AM UTC (Coordinated Universal Time) and lasts 8 hours.
f) In Lifecycle, choose Transition to cold storage 3 months after creation and Expire 6 months after creation. Note: Cold Storage is only available for Amazon EFS at this point, and if other resources are added to the cold storage transition, the transition will be ignored. In this tutorial, the Amazon RDS resource will be ignored when it comes to cold storage transition.
g) Enter prodbackupvault in Backup vault name.
h) For Copy to region(s), select Asia Pacific (Tokyo) in Destination Region. Expand Advanced settings, enter prodbackupvault in Backup vault name. Choose Transition to cold storage 3 months after creation and Expire 6 months after creation.
4. In the Assign resources section, provide the following:
a) Enter prodresources in Resource assignment name. Enter crossaccountbackuprole in IAM role.
b) Enter backup in Resource tag key and prod in Tag values.
c) Choose Create Policy.
Repeat these 4 steps to create a backup policy for Non-Prod OU:
- Replace Policy name in step 2a with nonprodbackuppolicy.
- Replace Backup plan in step 3a name with nonprodbackupplan.
- Replace Rule name in step 3c with nonprodbackuprule.
- Replace Backup vault name in step 3g with nonprodbackupvault.
- Replace Resource assignment name in step 4a with nonprodresources.
- Replace Tag values in step 4b with nonprod.
Step 5: Attach backup policies to targets
You are now ready to attach the backup policies to targets, which could be individual accounts or an OU. Applying a backup policy to an OU protect resources across member accounts under the selected OU.
- While still in the AWS Backup console, choose Backup Policies and select prodbackuppolicy. In the Targets section, choose Attach and select Prod OU. Confirm Attach.
- Repeat the same for nonprodbackuppolicy and select Non-Prod OU.
Step 6: Monitor backup and restore activities across AWS accounts
Within the management account, you can monitor backup, copy, and restore jobs across your AWS accounts under Cross-account monitoring in AWS Backup console.
To restore a backup via AWS Backup console, choose Protected resources and select the Resource ID from the list. Choose the recovery point that you want restored and choose Restore. Follow the prompt and provide the restore parameter. Choose Restore backup.
Congratulations! You have now successfully configured AWS Backup to centrally manage the backup tasks and Cross-Region copy across your AWS multi-account environment.
To avoid incurring future charges, follow these steps to remove the example resources:
- Remove target OUs from the backup policies.
- Delete backup policies, backup plans, and recovery points by following this guide.
- Delete the IAM role and backup vaults by deleting the stack instances from your stack set in the AWS CloudFormation console. Then, delete the stack sets.
In this blog post, I showed you how to achieve centralized cross-account management and deploy backup policies with Cross-Region copy using AWS Backup. I also provided sample AWS CloudFormation StackSets to automate the required IAM role and backup vaults across existing and new AWS accounts. Now you can incorporate this process in your DR plan and simplify business continuity strategy across your AWS environments while minimizing administrative overhead.
Thanks for reading this blog post! If you have any comments or questions, please don’t hesitate to leave them in the comments section.