Managing AWS Backup resources across multiple AWS accounts - AWS Backup

Managing AWS Backup resources across multiple AWS accounts

You can use the cross-account management feature in AWS Backup to manage and monitor your backup, restore, and copy jobs across AWS accounts that you configure with AWS Organizations. AWS Organizations is a service that offers policy-based management for multiple AWS accounts from a single management account. It enables you to standardize the way you implement backup policies, minimizing manual errors and effort simultaneously. From a central view, you can easily identify resources in all accounts that meet the criteria that you are interested in.

If you set up AWS Organizations, you can configure AWS Backup to monitor activities in all of your accounts in one place. You can also create a backup policy and apply it to selected accounts that are part of your organization and view the aggregate backup job activities directly from the AWS Backup console. This functionality enables backup administrators to effectively monitor backup job status in hundreds of accounts across their entire enterprise from a single management account. AWS Organizations quotas apply.

For example, you define a backup policy A that takes daily backups of specific resources and keeps them for 7 days. You choose to apply backup policy A to the whole organization. (This means that each account in the organization gets that backup policy, which creates a corresponding backup plan that is visible in that account.) Then, you create an OU named Finance, and you decide to keep its backups for only 30 days. In this case, you define a backup policy B, which overrides the lifecycle value, and attach it to that Finance OU. This means that all the accounts under the Finance OU get a new effective backup plan that takes daily backups of all specified resources and keeps them for 30 days.

In this example, backup policy A and backup policy B were merged into a single backup policy, which defines the protection strategy for all accounts under the OU named Finance. All the other accounts in the organization remain protected by backup policy A. Merging is done only for backup policies that share the same backup plan name. You can also have policy A and policy B coexist in that account without any merging. You can use advanced merging operators in the JSON view of the console only. For details about merging policies, see Defining policies, policy syntax, and policy inheritance in the AWS Organizations User Guide. For additional references and use cases, see the blog Managing backups at scale in your AWS Organizations using AWS Backup and the video tutorial Managing backups at scale in your AWS Organizations using AWS Backup.

The cross-account management feature is not available in the following AWS Regions: AWS GovCloud (US), China Regions, Middle East (Bahrain) Region, and Asia Pacific (Hong Kong) Region.

To use cross-account management, you must follow these steps:

  1. Create a management account in AWS Organizations and add accounts under the management account.

  2. Enable the cross-account management feature in AWS Backup.

  3. Create a backup policy to apply to all AWS accounts under your management account.

    Note

    For backup plans that are managed by Organizations, the resource opt-in settings in the management account override the settings in a member account.

  4. Manage backup, restore, and copy jobs in all your AWS accounts.

Creating a management account in Organizations

First, you must create your organization and configure it with AWS member accounts in AWS Organizations.

To create a management account in AWS Organizations and add accounts

Enabling cross-account management

Before you can use cross-account management in AWS Backup, you have to enable the feature (that is, opt in to it). After the feature is enabled, you can create backup policies that allow you to automate simultaneous management of multiple accounts.

To enable cross-account management

  1. Sign in to the AWS Management Console, and open the AWS Backup console at https://console.aws.amazon.com/backup.

    You can do this step only from the management account.

  2. In the left navigation pane, choose Settings to open the cross-account management page.

  3. In the Backup policies section, choose Enable.

    This gives you access to all the accounts and allows you to create policies that automate management of multiple accounts in your organization simultaneously.

  4. In the Cross-account monitoring section, choose Enable.

    This enables you to monitor the backup, copy, and restore activities of all accounts in your organization from your management account.

Creating a backup policy

After you enable cross-account management, create a cross-account backup policy from your management account.

To create a backup policy

  1. In the left navigation pane, choose Backup policies. On the Backup policies page, choose Create backup policies.

  2. In the Details section, enter a backup policy name and provide a description.

  3. In the Backup plans details section, choose the visual editor tab and do the following:

    1. For Backup plan name, enter a name.

    2. For Regions, choose a Region from the list.

  4. In the Backup rule configuration section, choose Add backup rule.

    1. For Rule name, enter a name for the rule. The rule name is case sensitive and can contain only alphanumeric characters or hyphens.

    2. For Schedule, choose a backup frequency in the Frequency list, and choose one of the Backup window options. We recommend that you choose Use backup window defaults—recommended.

  5. For Lifecycle, choose the lifecycle settings you want.

  6. For Backup vault name, enter a name. This is the backup vault where recovery points created by your backups will be stored.

    Make sure that the backup vault exists in all your accounts. AWS Backup doesn't check for this.

  7. (optional) Choose a destination Region from the list if you want your backups to be copied to another AWS Region, and add tags. You can choose tags for the recovery points that are created, regardless of the cross-Region copy settings. You can also add more rules.

  8. In the Resource assignment section, provide the name of the AWS Identity and Access Management (IAM) role. To use the AWS Backup service-linked role, provide service-role/AWSBackupDefaultServiceRole.

    AWS Backup assumes this role in each account to gain the permissions to perform backup and copy jobs, including encryption key permissions when applicable. AWS Backup also uses this role to perform lifecycle deletions.

    Note

    AWS Backup doesn't validate that the role exists or if the role can be assumed.

    For backup plans created by cross-account management, AWS Backup will use the opt-in settings from the management account and overrides the settings specific accounts.

    For each account that you want to add backup policies to, you must create the vaults and IAM roles yourself.

  9. Add tags to the backup plan, if desired.

  10. In the Advanced settings section, choose Windows VSS if the resource you're backing up is running Microsoft Windows on an Amazon EC2 instance. This enables you to take application-consistent Windows VSS backups.

    Note

    AWS Backup currently supports application-consistent backups of resources running on Amazon EC2 only. Not all instance types or applications are supported for Windows VSS backups. For more information, see Creating Windows VSS backups.

  11. Choose Add backup plan to add it to the policy, and then choose Create backup policy.

    Creating a backup policy doesn't protect your resources until you attach it to the accounts. You can choose your policy name and see the details.

    The following is an example AWS Organizations policy that creates a backup plan. If you enable Windows VSS backup, you must add permissions that allow you to take application-consistent backups as shown in the advanced_backup_settings section of the policy.

    { "plans": { "PiiBackupPlan": { "regions": { "@@append":[ "us-east-1", "eu-north-1" ] }, "rules": { "Hourly": { "schedule_expression": { "@@assign": "cron(0 0/1 ? * * *)" }, "start_backup_window_minutes": { "@@assign": "60" }, "complete_backup_window_minutes": { "@@assign": "604800" }, "target_backup_vault_name": { "@@assign": "FortKnox" }, "recovery_point_tags": { "owner": { "tag_key": { "@@assign": "Owner" }, "tag_value": { "@@assign": "Backup" } } }, "lifecycle": { "delete_after_days": { "@@assign": "365" }, "move_to_cold_storage_after_days": { "@@assign": "180" } }, "copy_actions": { "arn:aws:backup:eu-north-1:$account:backup-vault:myTargetBackupVault" : { "target_backup_vault_arn" : { "@@assign" : "arn:aws:backup:eu-north-1:$account:backup-vault:myTargetBackupVault" }, "lifecycle": { "delete_after_days": { "@@assign": "365" }, "move_to_cold_storage_after_days": { "@@assign": "180" } } } } } }, "selections": { "tags": { "SelectionDataType": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" }, "tag_key": { "@@assign": "dataType" }, "tag_value": { "@@assign": [ "PII", "RED" ] } } } }, "backup_plan_tags": { "stage": { "tag_key": { "@@assign": "Stage" }, "tag_value": { "@@assign": "Beta" } } } } } }
  12. In the Targets section, choose the organizational unit or account that you want to attach the policy to, and choose Attach. The policy can also be added to individual organizational units or accounts.

    Note

    Make sure to validate your policy and that you include all required fields in the policy. If parts of the policy are not valid, AWS Backup ignores those parts, but the valid parts of the policy will work as expected. Currently, AWS Backup does not validate AWS Organizations policies for correctness.

    If you apply one policy to the management account and a different policy to a member account, and they conflict (for example, having different backup retention periods), both policies will run without issues (that is, the policies will independently run for each account). For example, if the management account policy backs up an Amazon EBS volume once a day, and the local policy backs up an EBS volume once a week, both policies will run.

    If required fields are missing in the effective policy that will be applied to an account (probably due to merging between different policies), AWS Backup doesn't apply the policy to the account at all. If some settings are not valid, AWS Backup adjusts them.

    Regardless of the opt-in settings in a member account in a backup plan that is created from a backup policy, AWS Backup will use the opt-in settings specified in the management account of the organization.

    When you attach a policy to an organizational unit, every account that joins this organizational unit gets this policy automatically, and every account that is removed from the organizational unit loses this policy. The corresponding backup plans are deleted automatically from that account.

Monitoring activities in multiple AWS accounts

To monitor backup, copy, and restore jobs across accounts, you must enable cross-account monitoring. This lets you monitor backup activities in all accounts from your organizations management account. After you opt in, all the jobs across your organization that were created after the opt-in are visible. When you opt out, AWS Backup keeps the jobs in the aggregated view for 30 days (from reaching a terminus state). Created jobs after the opt-out are not visible and do not show any newly created backup jobs. For opt-in instructions, see Enabling cross-account management.

To monitor multiple accounts

  1. Sign in to the AWS Management Console, and open the AWS Backup console at https://console.aws.amazon.com/backup.

    You can only do this from the management account.

  2. In the left navigation pane, choose Settings to open the cross-account management page.

  3. In the Cross-account monitoring section, choose Enable.

    This enables you to monitor the backup and restore activities of all accounts in your organization from your management account.

  4. In the left navigation pane, choose Cross-account monitoring.

  5. On the Cross-account monitoring page, choose the Backup jobs, Restore jobs, or Copy jobs tab to see all the jobs created in all your accounts. You can see each of these jobs by AWS account ID, and you can see all the jobs in a particular account.

  6. In the search box, you can filter the jobs by Account ID, Status, or Job ID.

    For example, you can choose the Backup jobs tab and see all backup jobs created in all your accounts. You can filter the list by Account ID and see all the backup jobs created in that account.

Resource opt-in rules

If a member account's backup plan was created by an Organizations-level backup policy (with an ID starting orgs-), the AWS Backup opt-in settings for the Organizations management account will override the opt-in settings in that member account, but only for that backup plan.

If the member account also has local-level backup plans created by users, those backup plans will follow the opt-in settings in the member account, without reference to the Organizations management account's opt-in settings.

Defining policies, policy syntax, and policy inheritance

The following topics are documented in the AWS Organizations User Guide.