How can I set up Organizational wide backups with AWS Backup?
I want to take backups for member accounts in my AWS Organization using AWS Backup.
Short description
You can create a Backup policy in your management account and attach this policy to your member accounts to create backups in your member accounts. The Backup jobs and the Backups reside in your member account. After you turn on cross-account monitoring on your management account, you can view the Backup jobs that are created in your member accounts.
Warning: The following process requires actions in both the AWS Organization's management account and member accounts.
To take organizational wide backups, complete the following steps:
- Create a management account in AWS Organizations and add member accounts.
- Turn on cross-account management in your management account.
- Turn on service opt-in for Backup in your management account.
- Create a backup vault in your member accounts.
- Create a default service role or custom AWS Identity and Access Management (IAM) role in your member accounts.
- Configure the backup policy in your management account and attach the backup policy to your member accounts or Organization Unit (OU).
- Turn on cross-account monitoring in your management account.
Resolution
Create a management account in AWS Organizations
For instructions on creating a management account, see Tutorial: Creating and configuring an organization. After the management account is set up, you can use a delegated administrator instead of the management account to create a Backup policy. For more information, see Delegated administrator support for AWS Backup.
Note: You can't change which AWS account is the management account.
Turn on cross-account management
To turn on cross-account management, do the following:
- Sign in to the Organization's management account, and then open the AWS Backup console.
- In the navigation pane, choose Settings.
- In the Backup policies sections, choose Enable.
- In the Cross-account monitoring section, choose Enable.
Opt-in resources
Important: When opting in resources, consider the Resource opt-in rules.
To opt-in services to use AWS Backup, do the following:
- Sign in to the Organization's management account, and then open the AWS Backup console.
- In the navigation pane, choose Settings.
- For Service opt-in, choose Configure resources.
- Turn on the AWS Backup-supported Resources you want to activate.
- Choose Confirm.
Notes:
- Service opt-in settings are AWS Region specific. Be sure to check this setting in all AWS Regions where you've configured backups. For more information, see Service Opt-in.
- Service opt-in must be turned on in the AWS management account. For backup plans that are managed by Organizations, the resource opt-in settings in the management account override the settings in a member account.
Create a backup vault
To create a backup vault, do the following:
- Sign in as the member account, and then open the AWS Backup console.
- In the navigation pane, choose Backup vaults, and then choose Create backup vault.
- Enter a name for your backup vault. For example, myTargetBackupVault.
- Select an AWS Key Management Service (AWS KMS) key. You can either create a new key or use an existing key.
- (Optional) Add tags that can help you search for and identify your backup vault.
- Choose Create Backup vault.
Note: AWS Backup doesn't check whether the backup vault and AWS Identity and Access Management (IAM) role has been created in the member accounts. If the backup vault and IAM role haven't been created, then the backup plan won't create backups.
Create a default service role or custom IAM role
To create backups in member accounts, the member accounts must contain either a default service role or custom IAM role. The custom IAM role must have the correct permissions and trust policy with AWS Backup.
You can use AWS managed policies to create the custom IAM role.
-or-
To create the default service role, do the following:
Note: The AWS Backup default service role is called AWSBackupDefaultServiceRole in your AWS account.
- Sign in as the member account, and then open the AWS Backup console.
- To create the role for your account, either assign resources to a backup plan or create an on-demand backup.
To create a backup plan and assign resources, see Create a scheduled backup.
To create an on-demand backup, see Create an on-demand backup. - Verify that the AWSBackupDefaultServiceRole is created by opening the AWS IAM console.
- In the navigation pane, choose Roles.
- In the search, enter AWSBackupDefaultServiceRole. If the role exists, then you have successfully created the AWS Backup default role.
Note: In the backup policy, you must include service-role/AWSBackupDefaultServiceRole in the path when using the service role. If you're using a custom role, then it's in the format of role/custom-role.
Configure the backup policy
After you activate cross-account management, create a cross-account backup policy from your management account.
To create the backup policy, do the following:
1. Sign in to the Organization's management account, and then open the AWS Backup console.
2. In the navigation pane, choose Backup policies. On the Backup policies page, choose Create backup policy.
3. In the Details section, enter a backup policy name and provide a description.
4. In the Backup plans details section, choose the visual editor tab and do the following:
For Backup plan name, enter a name.
For Backup plan regions, choose a Region from the list.
5. In the Add Backup Rule section, do the following:
For Rule name, enter a name for the rule.
For Backup vault, enter a name. Make sure that the backup vault exists in all your accounts. AWS Backup doesn't check for backup vaults in all your accounts.
For Backup frequency, choose a backup frequency in the Frequency list, and then choose one of the Backup window options. It's a best practice to choose Use backup window defaults--recommended.
6. (Optional) Turn on continuous backups to activate Point-in-time recovery (PITR) for Amazon Relational Database Service (Amazon RDS) or Amazon Simple Storage Service (Amazon S3) resources. For more information, see Point-in-time recovery.
7. For Lifecycle, choose the lifecycle settings that you want.
8. (Optional) Choose a destination Region from the list if you want your backups to be copied to another AWS Region, and add tags. You can choose tags for the recovery points that are created, regardless of the cross-Region copy settings. You can also add more rules.
9. In the Resource assignment section, provide the name of the AWS Identity and Access Management (IAM) role. To use the AWS Backup service-linked role, enter service-role/AWSBackupDefaultServiceRole.
Note: AWS Backup assumes this role in each account to gain the permissions to perform backup and copy jobs, including encryption key permissions when applicable. AWS Backup also uses this role to perform lifecycle deletions.
10. (Optional) Add tags to the backup plan. The maximum number of tags allowed is 20.
11. For Advanced settings, choose Windows VSS if the resource you're backing up is running an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance. This allows you to take application-consistent Windows VSS backups. For more information, see Creating Windows VSS backups.
12. Choose Add backup plan to add it to the policy, and then choose Create backup policy.
Note: Creating a backup policy doesn't protect your resources until you attach it to the accounts.
The following is an example AWS Organizations JSON backup policy that creates an organizational backup plan:
{ "plans": { "PiiBackupPlan": { "regions": { "@@append":[ "us-east-1", "eu-north-1" ] }, "rules": { "Hourly": { "schedule_expression": { "@@assign": "cron(0 0/1 ? * * *)" }, "start_backup_window_minutes": { "@@assign": "60" }, "complete_backup_window_minutes": { "@@assign": "604800" }, "target_backup_vault_name": { "@@assign": "mySourceBackupVault" }, "recovery_point_tags": { "owner": { "tag_key": { "@@assign": "Owner" }, "tag_value": { "@@assign": "Backup" } } }, "lifecycle": { "delete_after_days": { "@@assign": "365" }, "move_to_cold_storage_after_days": { "@@assign": "180" } }, "copy_actions": { "arn:aws:backup:eu-north-1:$account:backup-vault:myTargetBackupVault" : { "target_backup_vault_arn" : { "@@assign" : "arn:aws:backup:eu-north-1:$account:backup-vault:myTargetBackupVault" }, "lifecycle": { "delete_after_days": { "@@assign": "365" }, "move_to_cold_storage_after_days": { "@@assign": "180" } } } } } }, "selections": { "tags": { "SelectionDataType": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole" }, "tag_key": { "@@assign": "dataType" }, "tag_value": { "@@assign": [ "PII", "RED" ] } } } }, "backup_plan_tags": { "stage": { "tag_key": { "@@assign": "Stage" }, "tag_value": { "@@assign": "Beta" } } } } } }
13. In the Targets section, choose the organizational unit or individual member account that you want to attach the policy to, and then choose Attach. For more information, see Attaching a backup policy.
Cross-account monitoring
To view jobs created in your member account from the management account, turn on cross-account monitoring in your management account. You can also turn on cross-account monitoring in your delegated administrator accounts to view jobs created in member accounts.
Additional troubleshooting
For additional troubleshooting steps, see How can I troubleshoot a Backup policy not creating any jobs in my member accounts in an AWS Organization?
Related information
Relevant content
- Accepted Answerasked 9 months ago
- asked 2 years ago
- Accepted Answerasked 2 years ago
- asked 4 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 10 months ago
