Secure data recovery with cross-account backup and Cross-Region copy using AWS Backup
UPDATE: On April 12, 2021, AWS announced support for copying Amazon FSx file system backups across AWS Regions and AWS accounts. For more information, read this blog post on cross-Region and cross-account backups for Amazon FSx using AWS Backup.
There are many benefits to using more than one AWS account, including resource and operational isolation, disaster recovery (DR), security boundaries, and cost tracking. Having a multi-account strategy is critical to maintaining business continuity and achieving regulatory compliance. Protecting and securing business-critical data in the cloud can be complex, challenging, and time-consuming. Customers want a centralized and comprehensive backup and recovery management process across their AWS accounts to minimize business impact during an unexpected disaster.
AWS Backup is a fully managed, cost-effective, and centralized data protection service for AWS resources. Customers can easily manage backups for Amazon EC2 instances, Amazon EBS volumes, Amazon RDS databases (including Amazon Aurora clusters), Amazon DynamoDB tables, and AWS Storage Gateway volumes. You can also centrally manage your workloads deployed on Amazon EFS, Amazon FSx for Lustre, and Amazon FSx for Windows File Server.
In a previous blog post, I covered how AWS Backup can simplify centralized backup management with Cross-Region copy. In this blog, I cover how AWS Backup extends multi-account backup management capabilities with cross-account backup and Cross-Region copy. Using AWS Backup, organizations can protect and secure their AWS resources and business-critical data with minimal administrative overhead, ensuring sustained business performance for their customers. Cross-account backup provides another layer of centralized backup management functionality, further enabling organizations to efficiently and effectively manage their backup solutions at scale.
The following diagram provides a high-level outline of the cross-account backup architecture in this blog. First, I deploy AWS CloudFormation StackSets in the management account. The CloudFormation stack set automates the AWS Identity and Access Management (IAM) role, backup vaults, and AWS Key Management Service (AWS KMS) key provisioning for source and destination accounts. Each backup vault is encrypted with a KMS key. Then, I create a backup policy in the management account. The backup policy populates a backup plan to SourceAccount and automates the scheduled backup from SourceAccount in the US East (N. Virginia) Region to DestinationAccount in the Europe (Ireland) Region. Finally, I trigger an on-demand backup restore from DestinationAccount in Europe (Ireland) Region to SourceAccount in the US East (N. Virginia) Region.
Before getting started, we need to create an organization using AWS Organizations. First, create a new account – you use this to create the organization and it is the management account of the organization. In the management account, create the organization using AWS Organizations; it will have all-features enabled by default. Then, create two new accounts using Organizations – these will be the SourceAccount and DestinationAccount. If you have already created an Organization, you can create two new accounts or utilize two existing accounts in your organization as well. Now you are ready to use AWS Backup across accounts within your organization, enabling you to manage and monitor backup and restore operations across AWS accounts.
Follow these steps to protect resources across AWS accounts and Regions.
- Opt in to cross-account backup.
- Create an IAM role.
- Create backup vaults.
- Create a backup policy.
- Initiate an on-demand restore.
Step 1: Opt in to cross-account backup
- Log in to your management account, then navigate to the AWS Backup console, and choose Settings in the left navigation pane.
- Choose Enable for Backup policies, Cross-account monitoring, and Cross-account backup. You should see the Status changed to Enabled.
- Enable all resource types supported by AWS Backup. Note: Cross-account backup does not currently support Amazon DynamoDB tables or Amazon FSx file systems.
Step 2: Create an IAM role
Complete the following steps to deploy an IAM role. AWS Backup assumes this IAM role to perform backup and restore operations on your behalf.
- Log in to your management account, launch an AWS CloudFormation StackSet, choose Amazon S3 URL, and paste https://awsstorageblogresources.s3.us-west-2.amazonaws.com/chersimonawsbackupblog/CABIAMStackSet.yaml in Amazon S3 URL. Choose Next.
- Provide a StackSet name. Keep cabrole as the default value in IAM Configuration. Choose Next.
- Choose Service managed permissions to allow the automatic deployment of this IAM role to any new accounts added to the organization in the future. Choose Next.
- Choose Deploy to organization. Select US East (N. Virginia) in Specify regions. Keep other default settings. Choose Next.
- Select the check box for I acknowledge that AWS CloudFormation might create IAM resources with custom names. Choose Submit.
- You can validate the stack sets deployment completion under the Stack instances tab. As shown in the following screenshot, wait for the Status to change from OUTDATED to CURRENT for all stack instances.
Note: AWS Backup does not validate whether the IAM role exists or the IAM role can be assumed in the member accounts. Be sure to validate the appropriate IAM role in each account you add to backup policies.
Step 3: Create backup vaults
In this section, you automate the set up of encrypted AWS Backup vaults across Regions within your AWS Organizations. To do so, I walk through using a sample AWS CloudFormation template and validating the access permissions for the backup vaults.
A: Deploy a CloudFormation template to create distinct backup vaults and AWS KMS key in each member account
- Log in to your management account, launch an AWS CloudFormation StackSet, choose Amazon S3 URL, and paste https://awsstorageblogresources.s3.us-west-2.amazonaws.com/chersimonawsbackupblog/CABVaultStackSets.yaml in Amazon S3 URL. Choose Next.
- Provide a StackSet name. Enter your AWS Organizations ID and AWS account ID for SourceAccount. Choose Next.
- Choose Service managed permissions to allow the automatic deployment of this backup vault to any new accounts added to the organization in the future. Choose Next.
- Choose Deploy to organization. Choose US East (N. Virginia) and EU (Ireland) in Specify regions. Keep other default settings. Choose Next. Choose Submit.
- You can validate the stack sets deployment completion under the Stack Instances tab. As shown in the following screenshot, wait for the Status to change from OUTDATED to CURRENT for all stack instances.
B: Validate backup vaults and access permissions
- Navigate to the AWS Backup console in your destination account. Select Backup vaults in the left navigation pane. Select cabvault, verify that the backup vault is protected with a KMS key. Take note of the ARN of your KMS key used by cabvault in the Region.
- In the Access policy section, verify your organization ID. Alternatively, you can limit backup vault access to an organizational unit, account, and IAM role by adding a Deny statement of backup:CopyFromBackupVault. You can also use the Add permissions drop-down menu in the Access policy section.
- Navigate to the AWS KMS console, select customer-managed keys in the left navigation pane. Select your KMS key from the list. In the Key policy section, verify your AWS account ID for SourceAccount and DestinationAccount.
Note: The vault name is case-sensitive. AWS Backup does not validate whether the desired backup vault exists. Be sure to validate that you have the appropriate backup vault created in each member account and Region that you want protected.
Step 4: Create a backup policy
Follow these steps to create a backup policy to automate a scheduled backup from SourceAccount to DestinationAccount.
- Log in to the AWS Backup console in your management account, choose Backup policies, and choose Create backup policy.
- In the Create policy section, provide the following:
- In Policy name, enter cabpolicy.
- Enter a description for the policy.
- In the Configure Backup plan section, provide the following:
- In Backup plan name, enter cabplan.
- In Backup plan Regions, select US East (N. Virginia) and Europe (Ireland).
- In Rule name, enter cabrule.
- In Frequency, choose Daily. In the Backup window, select Use backup window defaults – recommended, which initiates the backup job at 5 AM UTC (Coordinated Universal Time) and lasts 8 hours. Keep the default value for Lifecycle. You can refer to the documentation on how to customize backup frequency.
- Enter cabvault in Backup vault name. Select Europe (Ireland) in Destination Region. Expand Advanced settings, enter the backup vault Amazon Resource Names (ARNs) for DestinationAccount in Europe (Ireland) Region, for example, arn:aws:backup:eu-west-1:[DESTINATIONACCOUNT_ACCOUNTID]:backup-vault:cabvault. Choose Add rule.
- In Assign resources section, provide the following:
- Enter cabresources in Resource assignment name. Enter cabrole in IAM role.
- Enter backup in Resource tag key and cab in Tag values.
- Choose Add assignment, then choose Create Policy.
You are now ready to attach individual accounts or an organizational unit as targets to the backup policy. Applying a backup policy to an organizational unit protects resources across member accounts under the selected organizational unit.
- While still in the AWS Backup console, choose Backup Policies and select cabpolicy. In the Targets section, select Attach and select your SourceAccount. Confirm Attach.
- Within the management account, you can monitor backup, restore, and copy jobs across your AWS accounts under Cross-account monitoring in the AWS Backup console.
Step 5: Initiate an on-demand restore
Trigger an on-demand backup restore from DestinationAccount to SourceAccount.
- Log in to the AWS Backup console in your DestinationAccount. Select Backup vaults in the left navigation pane. Choose cabvault. Select one of the backups in the Backups section, choose Copy.
- In the Copy configuration section, choose Copy back to source account. Select Choose an IAM role, then choose cabrole in Role name. Choose Copy. Alternatively, provide the backup vault ARN if you choose Copy to different destination.
Congratulations! You have now successfully configured AWS Backup to securely back up and restore resources across your AWS accounts.
To avoid incurring future charges, follow these steps to remove the example resources:
- Remove target organizational units from the backup policy.
- Delete backup policy, backup plans, and recovery points by following this guide.
- Delete the IAM role and backup vaults by deleting the stack instances from your stack set in the AWS CloudFormation console. Then, delete the stack sets.
In this blog post, I showed you how to back up and restore AWS resources securely using cross-account backup and Cross-Region copy with AWS Backup. I provided a sample AWS CloudFormation template to provision the required resources for cross-account backup and Cross-Region copy configuration, and covered centrally managing and monitoring backup tasks from the management account using backup policies.
Having a multi-account backup strategy that is all centrally managed, even across numerous Regions, offers organizations the opportunity to consolidate their backup workloads and improve efficiency at scale while ensuring the security of their data against damage or loss. AWS Backup enables organizations to implement a centralized and cost-effective data backup strategy. The service enables organizations to increase the reliability and security of business-critical data across their AWS environments. Using AWS Backup’s cross-account backup and Cross-Region copy capabilities, organizations can quickly restore important data to the source or destination accounts in their preferred AWS Region. This enables AWS Backup users to minimize business impact in the event of an account compromise, unexpected disaster, or service interruption.
Thanks for reading this blog post. If you have any comments or questions, please do not hesitate to leave them in the comments section.