Managing AWS Backup resources across multiple AWS accounts - AWS Backup

Managing AWS Backup resources across multiple AWS accounts

Note

Before you manage resources across multiple AWS accounts in AWS Backup, your accounts must belong to the same organization in the AWS Organizations service.

You can use the cross-account management feature in AWS Backup to manage and monitor your backup, restore, and copy jobs across AWS accounts that you configure with AWS Organizations. AWS Organizations is a service that offers policy-based management for multiple AWS accounts from a single management account. It enables you to standardize the way you implement backup policies, minimizing manual errors and effort simultaneously. From a central view, you can easily identify resources in all accounts that meet the criteria that you are interested in.

If you set up AWS Organizations, you can configure AWS Backup to monitor activities in all of your accounts in one place. You can also create a backup policy and apply it to selected accounts that are part of your organization and view the aggregate backup job activities directly from the AWS Backup console. This functionality enables backup administrators to effectively monitor backup job status in hundreds of accounts across their entire enterprise from a single management account. AWS Organizations quotas apply.

For example, you define a backup policy A that takes daily backups of specific resources and keeps them for 7 days. You choose to apply backup policy A to the whole organization. (This means that each account in the organization gets that backup policy, which creates a corresponding backup plan that is visible in that account.) Then, you create an OU named Finance, and you decide to keep its backups for only 30 days. In this case, you define a backup policy B, which overrides the lifecycle value, and attach it to that Finance OU. This means that all the accounts under the Finance OU get a new effective backup plan that takes daily backups of all specified resources and keeps them for 30 days.

In this example, backup policy A and backup policy B were merged into a single backup policy, which defines the protection strategy for all accounts under the OU named Finance. All the other accounts in the organization remain protected by backup policy A. Merging is done only for backup policies that share the same backup plan name. You can also have policy A and policy B coexist in that account without any merging. You can use advanced merging operators in the JSON view of the console only. For details about merging policies, see Defining policies, policy syntax, and policy inheritance in the AWS Organizations User Guide. For additional references and use cases, see the blog Managing backups at scale in your AWS Organizations using AWS Backup and the video tutorial Managing backups at scale in your AWS Organizations using AWS Backup.

Please see Feature availability by AWS Region to see where the cross-account management feature is available.

To use cross-account management, you must follow these steps:

  1. Create a management account in AWS Organizations and add accounts under the management account.

  2. Enable the cross-account management feature in AWS Backup.

  3. Create a backup policy to apply to all AWS accounts under your management account.

    Note

    For backup plans that are managed by Organizations, the resource opt-in settings in the management account override the settings in a member account.

  4. Manage backup, restore, and copy jobs in all your AWS accounts.

Creating a management account in Organizations

First, you must create your organization and configure it with AWS member accounts in AWS Organizations.

To create a management account in AWS Organizations and add accounts

Enabling cross-account management

Before you can use cross-account management in AWS Backup, you have to enable the feature (that is, opt in to it). After the feature is enabled, you can create backup policies that allow you to automate simultaneous management of multiple accounts.

To enable cross-account management

  1. Sign in to the AWS Management Console, and open the AWS Backup console at https://console.aws.amazon.com/backup.

    You can do this step only from the management account.

  2. In the left navigation pane, choose Settings to open the cross-account management page.

  3. In the Backup policies section, choose Enable.

    This gives you access to all the accounts and allows you to create policies that automate management of multiple accounts in your organization simultaneously.

  4. In the Cross-account monitoring section, choose Enable.

    This enables you to monitor the backup, copy, and restore activities of all accounts in your organization from your management account.

Delegated administrator

Delegated administration provides a convenient way for assigned users in a registered member account to perform most AWS Backup administrative tasks. You can choose to delegate administration of AWS Backup to a member account in AWS Organizations, thereby extending the ability to manage AWS Backup from outside the management account and across the entire organization.

A management account, by default, is the account used to edit and manage policies. Using the delegated administrator feature, you can delegate these management functions to member accounts you designate. In turn, those accounts can manage policies, in addition to the management account.

After a member account has been successfully registered for delegated administration, it is a delegated administrator account. Note that accounts, not users, are designated as delegated administrators.

Enabling delegated administrator accounts allows the option of managing backup policies, it minimizes the number of users with access to the management account, and it permits cross-account monitoring of jobs.

Below is a table showing the functions of the management account, accounts delegated as Backup administrators, and accounts that are members within the AWS Organization.

PRIVILEDGES MANAGEMENT ACCOUNT DELEGATED ADMINISTRATOR MEMBER ACCOUNT
Register/deregister delegated administrator accounts Yes No No
Manage backup policies across accounts in AWS Organizations Yes Yes No
Monitor cross-account jobs Yes Yes No

Prerequisites

Before you can delegate backup administration, you must first register at least one member account in your AWS organization as a delegated administrator. Before you can register an account as a delegated administrator, you must first configure the following:

  • AWS Organizations must be enabled and configured with at least one member account in addition to your default management account.

  • In the AWS Backup console, ensure backup policies, cross-account monitoring, and cross-account backup features are turned on. These are below the Delegated administrators pane in the AWS Backup console.

    • Cross-account monitoring allows you to monitor backup activity across all the accounts in your organization from the management account, as well as from delegated administrator accounts.

    • Optional:Cross-account backup, which allows accounts in your organization to copy backups to other accounts (for Backup-supported cross-account resources).

    • Enable service access with AWS Backup.

There are two steps involved in setting up delegated administration. The first step is to delegate cross-account jobs monitoring. The second step is to delegate backup policy management.

Register a member account as a delegated administrator account

This is the first section: Using the AWS Backup console to register a delegated administrator account to monitor cross- account jobs. To delegate AWS Backup policies, you will use the Organizations console in the next section.

To register a member account using the AWS Backup Console:

  1. Sign in to the AWS Backup console using the credentials of your management account in AWS Organizations.

  2. Under My Account in the left-hand navigation of the console, choose Settings.

  3. In the Delegated administrator pane, click Register delegated administrator or Add delegated administrator.

  4. On the Register delegated administrator page, select the account you want to register, and then choose Register account.

This designated account will now be registered as a delegated administrator, with administrative privileges to monitor jobs across accounts within the organization and can view and edit policies (policy delegation). This member account cannot register or deregister other delegated administrator accounts. You can use the console to register up to 5 accounts as delegated administrators.

To register a member account using programmatically:

Use the CLI command register-delegated-administrator. You can specify the following parameters in your CLI request:

  • service-principal

  • account-id

Below is an example of a CLI request to register a member account programmatically:

aws organizations register-delegated-administrator \ --account-id 012345678912 \ --service-principal "backup.amazonaws.com"

Deregister a member account

Use the following procedure to remove administrative access from AWS Backup by deregistering a member account in your AWS organization that had previously been designated as a delegated administrator.

To deregister a member account using the Console

  1. Sign in to the AWS Backup console using the credentials of your management account in AWS Organizations.

  2. Under My Account in the left-hand navigation of the console, choose Settings.

  3. In the Delegated administrator section, click Deregister account.

  4. Choose the account(s) you want to deregister.

  5. In the Deregister account dialog box, review the security implications, and then type confirm to complete the deregistration.

  6. Choose Deregister account.

To deregister a member account using programmatically:

Use the CLI command deregister-delegated-administrator to deregister a delegated administrator account. You can specify the following parameters in your API request:

  • service-principal

  • account-id

Below is an example of a CLI request to deregister a member account programmatically:

aws organizations deregister-delegated-administrator \ --account-id 012345678912 \ --service-principal "backup.amazonaws.com"

Delegate AWS Backup policies through AWS Organizations

Within the AWS Organizations console, you can delegate administration of multiple policies, including Backup policies.

From the management account logged into the AWS Organizations console, you can create, view, or delete a resource-based delegation policy for your organization. For steps to delegate policies, see Create a resource-based delegation policy in the AWS Organizations User Guide.

Creating a backup policy

After you enable cross-account management, create a cross-account backup policy from your management account.

To create a backup policy

  1. In the left navigation pane, choose Backup policies. On the Backup policies page, choose Create backup policies.

  2. In the Details section, enter a backup policy name and provide a description.

  3. In the Backup plans details section, choose the visual editor tab and do the following:

    1. For Backup plan name, enter a name.

    2. For Regions, choose a Region from the list.

  4. In the Backup rule configuration section, choose Add backup rule.

    1. For Rule name, enter a name for the rule. The rule name is case sensitive and can contain only alphanumeric characters or hyphens.

    2. For Schedule, choose a backup frequency in the Frequency list, and choose one of the Backup window options. We recommend that you choose Use backup window defaults—recommended.

  5. For Lifecycle, choose the lifecycle settings you want.

  6. For Backup vault name, enter a name. This is the backup vault where recovery points created by your backups will be stored.

    Make sure that the backup vault exists in all your accounts. AWS Backup doesn't check for this.

  7. (optional) Choose a destination Region from the list if you want your backups to be copied to another AWS Region, and add tags. You can choose tags for the recovery points that are created, regardless of the cross-Region copy settings. You can also add more rules.

  8. In the Resource assignment section, provide the name of the AWS Identity and Access Management (IAM) role. To use the AWS Backup service-linked role, provide service-role/AWSBackupDefaultServiceRole.

    AWS Backup assumes this role in each account to gain the permissions to perform backup and copy jobs, including encryption key permissions when applicable. AWS Backup also uses this role to perform lifecycle deletions.

    Note

    AWS Backup doesn't validate that the role exists or if the role can be assumed.

    For backup plans created by cross-account management, AWS Backup will use the opt-in settings from the management account and overrides the settings specific accounts.

    For each account that you want to add backup policies to, you must create the vaults and IAM roles yourself.

  9. Add tags to the backup plan, if desired. The maximium number of tags allowed is 20.

  10. In the Advanced settings section, choose Windows VSS if the resource you're backing up is running Microsoft Windows on an Amazon EC2 instance. This enables you to take application-consistent Windows VSS backups.

    Note

    AWS Backup currently supports application-consistent backups of resources running on Amazon EC2 only. Not all instance types or applications are supported for Windows VSS backups. For more information, see Creating Windows VSS backups.

    Note

    AWS Organizations policy allows specifying 20 tags maximum if a backup plan is created via Organizations policy. Additional tags can be included by utilizing multiple resource assignments or engaging multiple backups plans through JSON.

  11. Choose Add backup plan to add it to the policy, and then choose Create backup policy.

    Creating a backup policy doesn't protect your resources until you attach it to the accounts. You can choose your policy name and see the details.

    The following is an example AWS Organizations policy that creates a backup plan. If you enable Windows VSS backup, you must add permissions that allow you to take application-consistent backups as shown in the advanced_backup_settings section of the policy.

    { "plans": { "PiiBackupPlan": { "regions": { "@@append":[ "us-east-1", "eu-north-1" ] }, "rules": { "Hourly": { "schedule_expression": { "@@assign": "cron(0 0/1 ? * * *)" }, "start_backup_window_minutes": { "@@assign": "60" }, "complete_backup_window_minutes": { "@@assign": "604800" }, "target_backup_vault_name": { "@@assign": "FortKnox" }, "recovery_point_tags": { "owner": { "tag_key": { "@@assign": "Owner" }, "tag_value": { "@@assign": "Backup" } } }, "lifecycle": { "delete_after_days": { "@@assign": "365" }, "move_to_cold_storage_after_days": { "@@assign": "180" } }, "copy_actions": { "arn:aws:backup:eu-north-1:$account:backup-vault:myTargetBackupVault" : { "target_backup_vault_arn" : { "@@assign" : "arn:aws:backup:eu-north-1:$account:backup-vault:myTargetBackupVault" }, "lifecycle": { "delete_after_days": { "@@assign": "365" }, "move_to_cold_storage_after_days": { "@@assign": "180" } } } } } }, "selections": { "tags": { "SelectionDataType": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" }, "tag_key": { "@@assign": "dataType" }, "tag_value": { "@@assign": [ "PII", "RED" ] } } } }, "backup_plan_tags": { "stage": { "tag_key": { "@@assign": "Stage" }, "tag_value": { "@@assign": "Beta" } } } } } }
  12. In the Targets section, choose the organizational unit or account that you want to attach the policy to, and choose Attach. The policy can also be added to individual organizational units or accounts.

    Note

    Make sure to validate your policy and that you include all required fields in the policy. If parts of the policy are not valid, AWS Backup ignores those parts, but the valid parts of the policy will work as expected. Currently, AWS Backup does not validate AWS Organizations policies for correctness.

    If you apply one policy to the management account and a different policy to a member account, and they conflict (for example, having different backup retention periods), both policies will run without issues (that is, the policies will independently run for each account). For example, if the management account policy backs up an Amazon EBS volume once a day, and the local policy backs up an EBS volume once a week, both policies will run.

    If required fields are missing in the effective policy that will be applied to an account (probably due to merging between different policies), AWS Backup doesn't apply the policy to the account at all. If some settings are not valid, AWS Backup adjusts them.

    Regardless of the opt-in settings in a member account in a backup plan that is created from a backup policy, AWS Backup will use the opt-in settings specified in the management account of the organization.

    When you attach a policy to an organizational unit, every account that joins this organizational unit gets this policy automatically, and every account that is removed from the organizational unit loses this policy. The corresponding backup plans are deleted automatically from that account.

Monitoring activities in multiple AWS accounts

To monitor backup, copy, and restore jobs across accounts, you must enable cross-account monitoring. This lets you monitor backup activities in all accounts from your organizations management account. After you opt in, all the jobs across your organization that were created after the opt-in are visible. When you opt out, AWS Backup keeps the jobs in the aggregated view for 30 days (from reaching a terminus state). Created jobs after the opt-out are not visible and do not show any newly created backup jobs. For opt-in instructions, see Enabling cross-account management.

To monitor multiple accounts

  1. Sign in to the AWS Management Console, and open the AWS Backup console at https://console.aws.amazon.com/backup.

    You can only do this from the management account.

  2. In the left navigation pane, choose Settings to open the cross-account management page.

  3. In the Cross-account monitoring section, choose Enable.

    This enables you to monitor the backup and restore activities of all accounts in your organization from your management account.

  4. In the left navigation pane, choose Cross-account monitoring.

  5. On the Cross-account monitoring page, choose the Backup jobs, Restore jobs, or Copy jobs tab to see all the jobs created in all your accounts. You can see each of these jobs by AWS account ID, and you can see all the jobs in a particular account.

  6. In the search box, you can filter the jobs by Account ID, Status, or Job ID.

    For example, you can choose the Backup jobs tab and see all backup jobs created in all your accounts. You can filter the list by Account ID and see all the backup jobs created in that account.

Resource opt-in rules

If a member account's backup plan was created by an Organizations-level backup policy (with an ID starting orgs-), the AWS Backup opt-in settings for the Organizations management account will override the opt-in settings in that member account, but only for that backup plan.

If the member account also has local-level backup plans created by users, those backup plans will follow the opt-in settings in the member account, without reference to the Organizations management account's opt-in settings.

Defining policies, policy syntax, and policy inheritance

The following topics are documented in the AWS Organizations User Guide.