How do I use AWS Backup to create backups across AWS accounts?

Resolution

Prerequisite: You must configure the correct permissions to perform actions across multiple accounts. Also, the accounts that you use must belong to the same organization in AWS Organizations.

Review source account requirements

Before you configure cross-account backups, review the requirements for your source account.

If you encrypted the resources in your source account with a customer managed key, then share this key with the destination account. For all services except those that support full AWS Backup management, the cross-account backup feature supports only customer managed keys. The cross-account feature doesn't support AWS keys because you can't share them between accounts.

Check that the user in the source account has the appropriate permissions to create copy jobs, such as AWSBackupFullAccess. The AWSBackupFullAccess permission provides backup administrator access. The backup administrator oversees all AWS Backup operations, such as modification of backup plans and backup restorations.

The default vaults are encrypted with AWS Key Management Service (AWS KMS) managed keys. However, you can't share AWS KMS managed keys with other accounts. It's a best practice to use customer vaults because they're encrypted with customer managed keys.

To perform cross-account backups for encrypted resources that don't support full AWS Backup management, you must encrypt your resources with customer managed keys. For more information, see Encryption for backups in AWS Backup.

Configure destination account requirements

The destination account is the account that you want to keep a copy of your backup in. You can select multiple destination accounts.

To configure the destination account before you set up cross-account backups, complete the following steps:

1. Create a backup vault in the destination account, and then assign a customer managed key to encrypt the backups.
2. Note the Amazon Resource Names (ARN) of your destination account backup vault.
3. You must allow the access policy backup:CopyIntoBackupVault for your destination backup vault. Without this policy, the destination account denies attempts to copy into it. See the following example policy that provides access:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "Allow account to copy into backup vault",
         "Effect": "Allow",
         "Action": "backup:CopyIntoBackupVault",
         "Resource": "*",
         "Principal": {
           "AWS": "arn:aws:iam::account-id:root"
         }
       }
     ]
   }

For more information on destination account requirements, see Sharing a backup vault with a different AWS account.

Review security requirements

You can only use the default vault as a destination vault for resources that support full AWS Backup management. For more information, see Feature availability by resource.

Cross-account backups might continue for up to 15 minutes after you turn them off.

If any destination account exits the organization, then they retain the backups. To prevent potential data leakage, see Removing a member account from an organization with AWS Organizations.

If you delete a copy job role during a cross-account copy, then AWS Backup can't unshare snapshots from the source account when the copy job completes.

Allow cross-account backups in Organizations

Complete the following steps:

1. Open the AWS Backup console.
2. In the navigation pane, under My account, choose Settings.
3. Under Cross-account management, turn on Cross-account backup.

Any account in your organization can share the contents of their backup vault with other accounts in the organization.

Schedule cross-account backups

Complete the following steps:

1. Open the AWS Backup console.
2. In the navigation pane, under My account, choose Backup plans.
3. Choose Create Backup plan.
4. For Start options, choose Build a new plan.
5. For Backup rule configuration, create a backup rule that includes a backup schedule, backup window, and lifecycle rules. Then, add any other backup rules that you require.
6. For Schedule, choose how often you want the backup to occur.
7. For Backup window, use the default settings.
8. Select a backup vault to save recovery points for your backup, or create a new backup vault.
   Note: The backup vault allows you to save the backups in the local account.
9. For Copy to destination, choose the destination AWS Region for your backup copy, and then add a new copy rule.
10. Turn on the Copy to another account's vault option.
    Note: This option turns blue when it activates. Then, the External vault ARN option appears.
11. Enter the ARN of the destination account backup vault.
    Note: AWS Backup copies the backup to the destination account's vault. The destination Region list automatically updates to the Region in the external vault ARN.
12. For Allow Backup vault access, choose Allow. Then, choose Allow again.
13. For Transition to cold storage, choose when to transition the backup copy to cold storage and when to delete the copy.
    Note: Transition to cold storage only applies to resources that support the lifecycle to cold storage.
14. Choose Create plan.

Related information

Guidance for disaster recovery using Amazon Aurora

Protecting encrypted Amazon Relational Database Service (Amazon RDS) DB instances with cross-account and cross-Region backups