automated and managed cross-account backup S3, RDS, EBS

Question

A customer wants to automate the backup for S3 buckets, EBS snapshots and RDS snapshots to another, independent account to be able to restore the application data in case an administrator account in the organization is compromised and a ransomware attack is executed.
The customer wants to do this in an automated, maintenance free way.

At first I suggested using scheduled Lambdas in the independent accounts that use IAM roles to access the "to-be-backuped" buckets and snapshots and pull them into the independent account. However, this solution requires the implementation and maintenance of code.
I was looking into AWS backup as I thought it would be able to create RDS and EBS Snapshot backups on a schedule to S3. I would then have recommended the customer to use this and setup cross-account replication of the buckets with a transfer of ownership of the objects in the replicated bucket to the independent account.

However, it seems that AWS backup uses S3 as a storage location for the backups, the backups themselves are not visible/accessible this way.
I am looking for a low effort, maintenance free way of achieving cross account (destination account being outside of the org) backups for S3, EBS, and RDS

Accepted Answer

You can achieve this with AWS Backup and Organizations: https://docs.aws.amazon.com/aws-backup/latest/devguide/recov-point-create-a-copy.html#create-cross-account-backup

For S3, you could also achieve it with S3 Replication: https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-walkthrough-2.html

Update: DLM now supports copying EBS snapshots cross-account: https://aws.amazon.com/blogs/storage/automating-copying-encrypted-amazon-ebs-snapshots-across-aws-accounts/

Answer

AWS Backup now provides snapshot backups of EBS, EC2, RDS and S3 with support for [cross region](https://docs.aws.amazon.com/aws-backup/latest/devguide/cross-region-backup.html) and [cross account](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html) replication. S3 and RDS can have [continuous backups](https://docs.aws.amazon.com/aws-backup/latest/devguide/point-in-time-recovery.html) to allow for point-in-time recovery of up to 35 days ago. With [Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html) it is possible to protect backups from being deleted by any account before the retention period has ended.

Answer

Hi all,
I understand AWS Backup now supports cross account backups for S3, however I assume it will still be from one backup vault to other backup vault.
Is there a way to copy from backup vault to a non AWS managed S3 bucket??
Thanks

automated and managed cross-account backup S3, RDS, EBS

関連するコンテンツ