I'm making heavy use of AWS Backup to manage the backing up of all of our data resources across AWS and it's great.
However, the lack of support for cross-region and cross-account backups for Redshift is frustrating, as the data we have in Redshift is arguably the most critical for our business.
I know I can enable cross-region snapshotting for Redshift, but I also want to ensure a completely independent copy of these snapshots is available in another AWS account in the event of a security breach in the "origin" account for our RS data warehouse.
With the lack of "out of the box" support for doing this in AWS Backup, what's the next best way of achieving this. (Note that I don't see simply "sharing" a snapshot between accounts to be sufficient, as I understand that this means there's still only actually one copy in the "origin" account (that you're allowing another account to access) rather than creating a secondary copy that couldn't be deleted for example if the origin account was compromised).
Thanks very much, this makes sense but is also less than ideal as we would be required to pay to host a secondary Redshift cluster in the backup account just for the purpose of having an independent copy of the latest snapshot from the original cluster. That's a high financial cost when all I actually care about is having a snapshot file stored (I don't actually want to run another cluster on warm standby). Feels like a feature set is definitely missing here.
How about implementing a Lambda action to copy the snapshot without restoring it in the destination AWS account? In the document I shared, I shared a snapshot and then did a restore. Here, copying the snapshot without restoring will be less expensive than restoring.
How about changing the way of thinking and sharing the data itself, instead of snapshots, to S3 in a separate account? This method is not a snapshot and takes a little longer to restore, but if you are familiar with Redshif operations and settings around S3 permissions, this may be easier. https://repost.aws/knowledge-center/redshift-s3-cross-account
Hi Riku, thanks so much for coming back to me with further info. Regarding the S3 UNLOAD, that's certainly an idea we could look into. I'm curious about your other suggesting where we can 'copy' a snapshot to another account without restoring? In the document you shared, all I can find here are references to "sharing" a snapshot, rather than actually copying to another account. If we can guarantee we are making an actual copy of the snapshot from Account A in Account B, then that's ideal for us. Am I missing something here about what "sharing" means in this context?
I have not tried this, but I thought it might be possible to make a cross-account copy in Redshift by using AWS Backup to create a backup plan that supports cross-accounts just like EC2 and RDS. https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html
Note that there was no option to copy snapshots when they were shared cross-account, so probably standard snapshot sharing cannot be used to copy them.