Creating backup copies across AWS accounts - AWS Backup

Creating backup copies across AWS accounts

Using AWS Backup, you can back up to multiple AWS accounts on demand or automatically as part of a scheduled backup plan. Use a cross-account backup if you want to securely copy your backups to one or more AWS accounts in your organization for operational or security reasons. If your original backup is inadvertently deleted, you can copy the backup from its destination account to its source account, and then start the restore. Before you can do this, you must have two accounts that belong to the same organization in the AWS Organizations service. For more information, see Tutorial: Creating and configuring an organization in the Organizations User Guide.

In your destination account, you must create a backup vault. Then, you assign a customer managed key to encrypt backups in the destination account, and a resource-based access policy to allow AWS Backup to access the resources you would like to copy. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. You can then create a backup plan and choose a destination account that is part of your organizational unit in AWS Organizations.

You can use AWS Backup to copy your backups for all supported resources, subject to the following limitations:

  • DynamoDB does not support cross-Region backup.

  • For all services except Amazon EFS, cross-account backup only supports customer managed keys. It does not support vaults that are encrypted using AWS keys, including default vaults, because AWS keys are not intended to be shared between accounts.

    You must use vaults other than your default vaults to perform cross-account backup.

    For Amazon EFS, you can perform cross-account backups using any Amazon EFS backup vault because AWS Backup independently manages the encryption for each Amazon EFS backup vault.

  • Amazon RDS and Aurora support cross-Region backup, or cross-account backup, but not both in the same backup plan. You can use a AWS Lambda script to accomplish both. Also, copying Amazon RDS custom option groups across AWS Regions is not supported.

  • Amazon EC2 does not allow cross-account copies of AWS Marketplace AMIs. For more information, see Copying an AMI in the Amazon EC2 User Guide.

Cross-Region backup are available in all AWS Regions that are available in AWS Backup except: China Regions, Asia Pacific (Hong Kong), Middle East (Bahrain), Europe (Milan), Africa (Cape Town), and Asia Pacific (Tokyo).

Setting up cross-account backup

What do you need to create cross-account backups?

  • A source account

    The source account is the account where your production AWS resources and primary backups reside.

    The source account user initiates the cross-account backup operation. The source account user or role must have appropriate API permissions to initiate the operation. Appropriate permissions might be the AWS managed policy AWSBackupFullAccess, which enables full access to AWS Backup operations, or a customer managed policy such as ec2:ModifySnapshotAttribute. For more information about both policy types, see AWS Backup Managed Policies.

  • A destination account

    The destination account is the account where you would like to keep a copy of your backup. You can choose more than one destination account. The destination account must be in the same organization as the source account in AWS Organizations.

    You must “Allow” the access policy backup:CopyIntoBackupVault for your destination backup vault. The absence of this policy will deny attempts to copy into the destination account.

  • A management account in AWS Organizations

    The management account is the primary account in your organization, as defined by AWS Organizations, that you use to manage cross-account backup across your AWS Accounts. You also need to enable service trust to use cross-account backup. After enabling service trust, you can use any account in the organization as a destination account. From your destination account, you can choose which vaults to use for cross-account backup.

  • Enable cross-account backup in the AWS Backup console

For information about security, see Security consideration for cross account backup.

To use cross-account backup, you must enable the cross-account backup feature. Then, you must "Allow" the access policy backup:CopyIntoBackupVault into your destination backup vault.

To enable cross-account backup

  1. Log in to AWS using your AWS Organizations management account credentials. Cross-account backup can only be enabled or disabled using these credentials.

  2. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  3. In My account, choose Settings.

  4. For Cross-account backup, choose Enable.

  5. In Backup vaults, choose your destination vault.

  6. In the Access policy section, "Allow" backup:CopyIntoBackupVault. For an example, choose Add permissions and then Allow access to a Backup vault from organization.

  7. Now, any account in your organization can share the contents of their backup vault with any other account in your organization. For more information, see Sharing a backup vault with a different AWS account. To limit which accounts can receive the contents of other accounts' backup vaults, see Configuring your account as a destination account.

Scheduling cross-account backup

You can use a scheduled backup plan to copy backups across AWS accounts.

To copy a backup using a scheduled backup plan

  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. In My account, choose Backup plans, and then choose Create Backup plan.

  3. On the Create Backup plan page, choose Build a new plan.

  4. For Backup plan name, enter a name for your backup plan.

  5. In the Backup rule configuration section, add a backup rule that defines a backup schedule, backup window, and lifecycle rules. You can add more backup rules later.

    For Rule name, enter a name for your rule.

  6. In the Schedule section under Frequency, choose how often you want the backup to be taken.

  7. For Backup window, choose Use backup window defaults (recommended). You can customize the backup window.

  8. For Backup vault, choose a vault from the list. Recovery points for this backup will be saved in this vault. You can create a new backup vault.

  9. In the Generate copy - optional section, enter the following values:

    Destination region

    Choose the destination AWS Region for your backup copy. Your backup will be copied to this Region. You can add a new copy rule per copy to a new destination.

    Note

    Copying Amazon DynamoDB tables across AWS Regions is not supported.

    Copy to another account's vault

    Toggle to choose this option. The option turns blue when selected. The External vault ARN option will appear.

    External vault ARN

    Enter the Amazon Resource Name (ARN) of the destination account. The ARN is a string that contains the account ID and its AWS Region. AWS Backup will copy the backup to the destination account's vault. The Destination region list automatically updates to the Region in the external vault ARN.

    For Allow Backup vault access, choose Allow. Then choose Allow in the wizard that opens.

    AWS Backup needs permissions to access the external account to copy backup to the specified value. The wizard shows the following example policy that provides this access.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Allow account to copy into backup vault", "Effect": "Allow", "Action": "backup:CopyIntoBackupVault", "Resource": "*", "Principal": { "AWS": "arn:aws:iam::account-id:root" } } ] }
    (Advanced settings) Transition to cold storage (for EFS only)

    Choose the options you want for your EFS file system.

    Choose when to transition the backup copy to cold storage and when to expire (delete) the copy. Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. This value cannot be changed after a copy has transitioned to cold storage.

    Currently only Amazon EFS file system backups can be transitioned to cold storage. The cold storage expression is ignored for the backups of Amazon Elastic Block Store (Amazon EBS), Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon DynamoDB, and AWS Storage Gateway.

    Expire specifies the number of days after creation that the copy is deleted. This value must be greater than 90 days beyond the Transition to cold storage value.

    Note

    When backups expire and are marked for deletion as part of your lifecycle policy, AWS Backup deletes the backups at a randomly chosen point over the following 24 hours. This window helps ensure consistent performance.

  10. Choose Tags added to recovery points to add tags to your recovery points.

  11. For Advanced backup settings, choose Windows VSS to enable application-aware snapshots for the selected third-party software running on EC2.

  12. Choose Create plan.

Performing on-demand cross-account backup

You can copy a backup to a different AWS account on demand.

To copy a backup on-demand

  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. For My account, choose Backup vault to see all your backup vaults listed. You can filter by the backup vault name or tag.

  3. Choose the Recovery point ID of the backup you want to copy.

  4. Choose Copy.

  5. Expand Backup details to see information about the recovery point you are copying.

  6. In the Copy configuration section, choose an option from the Destination region list.

  7. Choose Copy to another account's vault. The option turns blue when selected.

  8. Enter the Amazon Resource Name (ARN) of the destination account. The ARN is a string that contains the account ID and its AWS Region. AWS Backup will copy the backup to the destination account's vault. The Destination region list automatically updates to the Region in the external vault ARN.

  9. For Allow Backup vault access, choose Allow. Then choose Allow in the wizard that opens.

    AWS Backup needs permissions to access the external (source) account. The wizard shows an example policy that provides this access. This policy is shown following.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Allow account to copy into backup vault", "Effect": "Allow", "Action": "backup:CopyIntoBackupVault", "Resource": "*", "Principal": { "AWS": "arn:aws:iam::account-id:root" } } ] }
  10. (Amazon EFS only) For Transition to cold storage, choose the options you want for your EFS file system.

    Choose when to transition the backup copy to cold storage and when to expire (delete) the copy. Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. This value cannot be changed after a copy has transitioned to cold storage.

    Currently only Amazon EFS file system backups can be transitioned to cold storage. The cold storage expression is ignored for the backups of Amazon EBS, Amazon RDS, Amazon Aurora, Amazon DynamoDB, and AWS Storage Gateway.

    Expire specifies the number of days after creation that the copy is deleted. This value must be greater than 90 days beyond the Transition to cold storage value.

    Note

    When backups expire and are marked for deletion as part of your lifecycle policy, AWS Backup deletes the backups at a randomly chosen point over the following 24 hours. This window helps ensure consistent performance.

  11. For IAM role, specify the IAM role (such as the default role) that has the permissions to make your backup available for copying. The act of copying is performed by your destination account's service linked role.

  12. Choose Copy. Depending on the size of the resource you are copying, this process could take several hours to complete. When the copy job completes, you will see the copy in the Copy jobs tab in the Jobs menu.

Restoring a backup from one AWS account to another

AWS Backup does not support recovering resources from one AWS account to another. However, you can copy a backup from one account to a different account and then restore it in that account. For example, you can't restore a backup from account A to account B, but you can copy a backup from account A to account B, and then restore it in account B.

Restoring a backup from one account to another is a two-step process.

To restore a backup from one account to another

  1. Copy the backup from the source AWS account to the account you want to restore to. For instructions, see Creating backup copies across AWS accounts.

  2. Use the appropriate instructions for your resource to restore the backup.

Sharing a backup vault with a different AWS account

AWS Backup allows you to share a backup vault with one or multiple accounts, or your entire organization in AWS Organizations. You can share a destination backup vault with a source AWS Account, user, or IAM role.

To share a destination Backup vault

  1. Choose AWS Backup, and then choose Backup vaults.

  2. Choose the name of the backup vault that you want to share.

  3. In the Access policy pane, choose the Add permissions dropdown.

  4. Choose Allow account level access to a Backup vault. Or, you can choose to allow organization-level or role-level access.

  5. Enter the AccountID of the account you'd like to share with this destination Backup vault.

  6. Choose Save policy.

You can use IAM policies to share your backup vault.

Share a destination backup vault with an AWS account or IAM role

The following policy shares a backup vault with account number 4444555566666 and the IAM role SomeRole in account number 111122223333.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "AWS":[ "arn:aws:iam::444455556666:root", "arn:aws:iam::111122223333:role/SomeRole" ] }, "Action":"backup:CopyIntoBackupVault", "Resource":"*" } ] }

Share a destination backup vault an organizational unit in AWS Organizations

The following policy shares a backup vault with organizational units using their PrincipalOrgPaths.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":"*", "Action":"backup:CopyIntoBackupVault", "Resource":"*", "Condition":{ "ForAnyValue:StringLike":{ "aws:PrincipalOrgPaths":[ "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/", "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/ou-jkl0-awsddddd/*" ] } } } ] }

Share a destination backup vault with an organization in AWS Organizations

The following policy shares a backup vault with the organization with PrincipalOrgID "o-a1b2c3d4e5".

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":"*", "Action":"backup:CopyIntoBackupVault", "Resource":"*", "Condition":{ "StringEquals":{ "aws:PrincipalOrgID":[ "o-a1b2c3d4e5" ] } } } ] }

Configuring your account as a destination account

When you first enable cross account backups using your AWS Organizations management account, any user of a member account can configure their account to be a destination account. We recommend setting one or more of the following access controls in AWS Organizations to limit your destination accounts.

Limit destination accounts using tags

The following policy limits destination accounts to accounts with backup vaults tagged DestinationBackupVault.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Deny", "Action":"backup:CopyIntoBackupVault", "Resource":"*", "Condition":{ "Null":{ "aws:ResourceTag/DestinationBackupVault":"true" } } } ] }

Limit destination accounts using account numbers and vault names

The following policy limits destination accounts to only two accounts. The first destination account is account 112233445566 with the backup vault name prefix cab. The second destination account is account 123456789012 in AWS Region us-west-1 with the backup vault named fort-knox.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Deny", "Action":"backup:CopyFromBackupVault", "Resource":"arn:aws:ec2:*:snapshot/*", "Condition":{ "ForAllValues:ArnNotLike":{ "backup:CopyTargets":[ "arn:aws:backup:*:112233445566:backup-vault:cab-*", "arn:aws:backup:us-west-1:123456789012:backup-vault:fort-knox" ] } } } ] }

Limit destination accounts using organizational units in AWS Organizations

The following policy limits destination accounts to the accounts within certain organizational units. You must attach this policy to an AWS Organizations node that contains your source account.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Deny", "Action":"backup:CopyFromBackupVault", "Resource":"*", "Condition":{ "ForAllValues:StringNotLike":{ "backup:CopyTargetOrgPaths":[ "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/", "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/ou-jkl0-awsddddd/*" ] } } } ] }

Security consideration for cross account backup

Be aware of the following when using performing cross-account backups in AWS Backup:

  • The destination vault cannot be the default vault. This is because the default vault is encrypted with a key that cannot be shared with other accounts.

  • Cross-account backups might still run for up to 15 minutes after you disable cross-account backup. This is due to eventual consistency, and might result in some cross-account jobs starting or completing even after you disable cross-account backup.

  • If the destination account leaves the organization at a later date, that account will retain the backups. To avoid potential data leakage, place a deny permission on the organizations:LeaveOrganization permission in a service control policy (SCP) attached to the destination account. For detailed information about SCPs, see Removing a member account from your organization in the Organizations User Guide.

  • If you delete a copy job role during a cross-account copy, AWS Backup can't unshare snapshots from the source account when the copy job completes. In this case, the backup job finishes, but the copy job status shows as Failed to unshare snapshot.